Joomla Previlege Escalation

Free Modsecurity rules - Comodo Web Application Fi
#1

COMODO Waf, can’t stop an old bug of Joomla that gives previlege escalation.
This night we saw a client be attacked by this, and COMOD Waf coulnd’t do nothing, but Atomic can.

The attack is this:
http://jeffchannell.com/Joomla/joomla-161725-privilege-escalation-vulnerability.html

Here is the logs, and i changed the site name to “site-name.com” for security reason of course.

The LOGs:
181.41.209.16 - - [19/Jun/2014:04:41:19 +0100] “GET /site/administrator/ HTTP/1.1” 200 1854 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
1403149285.388 344 .
181.41.209.16 - - [19/Jun/2014:04:41:25 +0100] “POST /site/administrator/index.php HTTP/1.1” 303 0 “http://www.site-name.com/site/administrator/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:30:56 +0100] “GET /site/index.php/pt/component/users/?view=registration HTTP/1.1” 200 10152 “Redirect Notice” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:31:07 +0100] “GET /favicon.ico HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:31:09 +0100] “GET /favicon.ico HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:31:51 +0100] “GET /administrator HTTP/1.1” 404 - “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:32:00 +0100] “GET /site/administrator/ HTTP/1.1” 200 4440 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:33:43 +0100] “POST /site/index.php/pt/component/users/?task=registration.register HTTP/1.1” 303 - “http://www.site-name.com/site/index.php/pt/component/users/?view=registration” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:33:44 +0100] “GET /site/index.php/pt/component/users/?view=registration HTTP/1.1” 200 10500 “http://www.site-name.com/site/index.php/pt/component/users/?view=registration” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:34:58 +0100] “POST /site/index.php/pt/component/users/?task=registration.register HTTP/1.1” 303 - “http://www.site-name.com/site/index.php/pt/component/users/?view=registration” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:34:59 +0100] “GET /site/index.php/pt/component/users/?view=registration&layout=complete HTTP/1.1” 200 6929 “http://www.site-name.com/site/index.php/pt/component/users/?view=registration” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:41:25 +0100] “POST /site/administrator/index.php HTTP/1.1” 303 - “http://www.site-name.com/site/administrator/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:41:26 +0100] “GET /site/administrator/index.php HTTP/1.1” 200 23726 “http://www.site-name.com/site/administrator/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:41:49 +0100] “GET /site/administrator/index.php?option=com_media HTTP/1.1” 200 24174 “http://www.site-name.com/site/administrator/index.php” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:42:07 +0100] “GET /site/administrator/index.php?option=com_templates HTTP/1.1” 200 29071 “http://www.site-name.com/site/administrator/index.php?option=com_media” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:42:26 +0100] “GET /site/administrator/index.php?option=com_templates&view=templates HTTP/1.1” 200 25041 “http://www.site-name.com/site/administrator/index.php?option=com_templates” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:42:46 +0100] “GET /site/administrator/index.php?option=com_templates&view=template&id=500 HTTP/1.1” 200 6910 “http://www.site-name.com/site/administrator/index.php?option=com_templates&view=templates” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:43:07 +0100] “GET /site/administrator/index.php?option=com_templates&task=source.edit&id=NTAwOmVycm9yLnBocA== HTTP/1.1” 303 - “http://www.site-name.com/site/administrator/index.php?option=com_templates&view=template&id=500” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:43:25 +0100] “GET /site/administrator/index.php?option=com_templates&view=source&layout=edit HTTP/1.1” 200 11026 “http://www.site-name.com/site/administrator/index.php?option=com_templates&view=template&id=500” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:44:07 +0100] “POST /site/administrator/index.php?option=com_templates&layout=edit HTTP/1.1” 303 - “http://www.site-name.com/site/administrator/index.php?option=com_templates&view=source&layout=edit” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:44:08 +0100] “GET /site/administrator/index.php?option=com_templates&view=source&layout=edit HTTP/1.1” 200 42147 “http://www.site-name.com/site/administrator/index.php?option=com_templates&view=source&layout=edit” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”
181.41.209.16 - - [19/Jun/2014:04:44:29 +0100] “GET /site/templates/atomic/error.php HTTP/1.1” 200 384 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0”

#2

Hi

This is a vulnerability in Joomla.

The solution is to upgrade to Joomla 2.5.3

http://developer.joomla.org/security/news/395-20120303-core-privilege-escalation

I’m not sure why Comodo would be involved?

Garry

#3

Then what is the use of using comodo waf when it cant stop attacks? Comodo has to do everything with it lol

#4

Will be fixed ASAP

#5

Like i said, Atomic Rules (similiar to como WAF), stop this kind of attack.
Comodo WAF is for stoping exploits like that.

The solution you say Garry, is only for the programmers, for the server manager, it’s the Modsecurity firewall that must stop this exploits.

Thank you TDmitry

#6

Surely it’s also up to you to keep your clients Joomla installation up to date with bug fixes and releases to combat such issues…I know I would, and do :-TU

#7

How would u update joomla installation when u r server provider? I want to learn this hidden trick? If you are using WAF and its not stopping attacks or exploits then what is the use of it? I would like to know for what purpose you are using WAF on your server? Please elaborate :slight_smile:

#8

Joomla can be updated in several ways.
The end user can update Joomla via ftp or automatically through the control panel it you the version Joomla introduced that feature in.
I’m presently using 2.5.14
As the owner of the site it’s my responsibility to keep it up to date.
My hosting provider provides a lower version for auto install.

My point is Joomla is not a Comodo product.
If Joomla, or any software provider has a bug/vulnerability in their software is it Comodos software that should catch it?
IMHO no, because if they are then Comodo become responsible for plugging holes in everything their software runs on.
That’s my perspective, others may disagree. 88)

#9

Or…am I totally misunderstanding something?

#10

Do you even know what “WAF” is used for?

The “COMODO WAF” is for server providers not for website holders.

I think u r on a wrong subforum dude :stuck_out_tongue: :slight_smile:

#11

If I’m wrong so be it… I’m big enough to admit it ;D