Joomla! extensions from RSJoomla! - Blog

A critical flaw in the RSFiles! upload function allows unauthenticated file uploads without enforcing any file extension.

What this means is that any attacker, without having an account on your website, can upload a .php file in your /downloads directory and execute it.

The bottom line is: update immediately to RSFiles! 1.17.12 which fixes this along some other not-reported, but less critical security issues.

Is this exploited in the wild?

Fortunately, at the time of writing, the vulnerability is not public information. It has been privately disclosed by the team at mySites.guru which we thank and recommend - they deliver fantastic services. However, as this is now disclosed, this will be exploited in the wild probably in a few hours after the new version has been released.

How to mitigate this

If you are using RSFirewall!, by default file uploads with a .php extension are silently deleted so you're protected.

Update as soon as possible

Do not rely on firewalls to keep up with this - your immediate action should be to update RSFiles! to the latest release. If updating is not possible, delete /components/com_rsfiles/controllers/rsfiles.php. This will render RSFiles! unusable, but the file contains the affected code so you won't be vulnerable.

Things to check regardless if you're affected or not

  • Any stray .php files in the downloads/ folder and in any other sub-folders;
  • Any stray .php files in the briefcase/ folder and in any other sub-folders;
  • Check if your download folders are secure - go to RSFiles - Settings - Files and tick both the 'Secure download folder' and 'Secure briefcase folder' checkboxes. This will create a file named .htaccess that disallows direct access to these folders, so files will only be served through RSFiles!.
  • Check your server's raw access logs for POST requests pointing to
    index.php?option=com_rsfiles&task=rsfiles.upload that are not preceded by a request to index.php?option=com_rsfiles&task=rsfiles.checkupload

The technical details

mySites.guru has an excellent blog post explaining how this was discovered, what the bug does and how to address this.
Read more

How can CSV files be affected?

Well, technically CSV files are text files - the purpose of a CSV is in its name - Comma Separated Values. The issue is actually a combination of spreadsheet software interpreting values as formulas (thus no longer treating values as plain text) and the tendency of users to ignore security prompts - or to agree to terms and conditions without scrolling through :-)

13 May 2019 in Development
Read more

UPDATE! Bug has been confirmed and will be fixed in Joomla! 3.4.1

We've recently talked about the benefits of Joomla! caching. In the past weeks, we've seen an increase of people using Joomla! caching and that's a good thing - but not without its issues.

Read more

After updating to Joomla! 3.4.0, you may have encountered some extensions that did install in previous Joomla! versions are now throwing the message:

Error
Archive does not exist
Unable to find install package

What is causing the error

Joomla! 3.4.0 introduced a new security feature, scanning uploaded files for potential dangerous code. For example, it scans uploaded archives for PHP code - something that should not be done in the Extensions Installer (com_installer). Fortunately, Joomla! contributors already debugged and fixed this (pull request here) so if you don't want to wait until 3.4.1 is released, read this blog post.

Read more
Tagged with joomla, bug, installer

An issue recently introduced in Joomla! 3.3.4 (pull request here) makes navigating back to the first page impossible when using SEF. When you click to go to the second page and then attempt to go back to the first page, you'll actually stay on the same page. This is because the "limitstart" parameter is missing from the URL due to this cosmetic change (which attempts to avoid duplicate URLs). They're fixing it in the upcoming 3.3.7 release (pull request here).

Read on for instructions on how to fix this.

Read more
Tagged with joomla, bug, pagination