Rapid Identification of Vulnerabilities in Joomla Patches Enables Speedy Corrections for Users
New Delhi, 10 April, 2018, Paladion, a global cyber defense company, recently discovered vulnerabilities in extensions for the content management system Joomla that could leave users exposed to hackers. As an open source software, Joomla has more than 2 million live users and contributors. Its popularity has also prompted other coders and companies to produce more than 8,000 extensions to offer additional handy features. However, in certain cases, use of some of these extensions exposed users to security risks and attacks.
As part of its continual, intensive cybersecurity monitoring and research, Paladion found instances of data not being validated when being exported from Joomla extensions to a CSV file format. Paladion security expert Suresh Narvaneni, who found the flaws, said, “This vulnerability made it possible for an attacker to spread malware via spreadsheets such as Microsoft Excel and LibreOffice Calc. Unauthorized remote machine access was also possible.”Suresh identified the issue in specific Joomla extensions from Acyba and notified Joomla immediately. In addition, a missing validation on a URL field when creating a new company record and a vulnerability to cross-site-scripting (XSS) were found in the JS Jobs extension from Joom Sky.
Joomla then contacted the developers for the extensions concerned, with issues being fixed within one day. Joomla also published a note on the vulnerability at https://vel.joomla.org/articles/2140-introducing-csv-injection. The note related how special characters in exported data could be interpreted as formulae (CSV formula injection) or as commands to open programs such as Windows Power Shell. Suresh added, “An additional risk was the exfiltration of data from spreadsheets. Yet another was the tendency of users to ignore security warnings in spreadsheets they believe to be safe because they download them from their own websites.”
Paladion is a global cyber defense company that provides Managed Detection and Response Services, DevOps Security, Cyber Forensics, Incident Response, and more by tightly bundling its semi-autonomous cyber platform and managed services with leading security technologies. Paladion is consistently rated and recognized by leading independent analyst firms, and awarded by CRN, Asian Banker, Red Herring, amongst others. For 17 years, Paladion has been actively managing cyber risk for over 700 customers from its six cyber operations centers placed across the globe.