In early April I reported safety issues with the replace course of to the safety contact of Joomla. Whereas the problem has been fastened in Joomla 3.6, the communication course of was removed from ideal.
The subject itself is fairly easy: Up till lately Joomla fetched details about its updates over unencrypted and unauthenticated HTTP with none safety measures.
The replace course of works in three steps. To begin with the Joomla backend fetches a file list.xml from update.joomla.org that incorporates details about present variations. If a extra recent model than the one put in is discovered then the person will get a button that permits him to replace Joomla. The file list.xml references an URL for every model with additional details about the replace referred to as extension_sts.xml. Curiously this file is fetched over HTTPS, whereas – in model 3.5 – the file list.xml will not be. Nonetheless this doesn’t assist, because the attacker can already intervene at step one and serve a malicious list.xml that references no matter he needs. In extension_sts.xml there’s a obtain URL for a zipper file that incorporates the update.
Exploiting this for a Man-in-the-Middle-attacker is trivial: Requests to update.joomla.org must be redirected to an attacker-controlled host. Then the attacker can place his personal list.xml, which is ready to reference his personal extension_sts.xml, which is ready to comprise a hyperlink to a backdoored replace. I’ve created a trivial proof of concept for this (just place that on the HTTP host that update.joomla.org will get redirected to).
I suppose it ought to be apparent that software program updates are a safety delicate space and must be protected. Utilizing HTTPS is a technique of doing that. Utilizing any form of cryptographic signature system is one other means. Sadly it appears frequent net functions are solely slowly studying that. Drupal solely switched to HTTPS updates earlier this year. It is in all probability value checking different net functions which have built-in replace processes if they’re safe (WordPress is safe fwiw).
Now this is how the Joomla builders dealt with this subject: I contacted Joomla through their webpage on April sixth. Their webpage type did not have a technique to connect information, so I provided them to contact me through e mail so I may ship them the proof of idea. I received a reply to that shortly after asking for it. This was the one communication from their aspect. Round two months later, on June 14th, I requested in regards to the standing of this subject and warned that I might quickly publish it if I do not get a response. I by no means received any reply.
In the meantime Joomla had revealed beta variations of the then upcoming model 3.6. I checked that and famous that they’ve modified the replace url from http://update.joomla.org/ to https://update.joomla.org/. So whereas they weren’t speaking with me it appeared a repair was on its means. I then discovered that there was a pull request and a Github dialogue that began even earlier than I first contacted them. Joomla 3.6 was launched lately, subsequently the problem is fastened. Nonetheless the release announcement would not point out it.
So all in all I contacted them a couple of safety subject they have been already within the strategy of fixing. The issue itself is subsequently solved. However the lack of communication in regards to the subject actually would not solid mild on Joomla’s safety course of.
Please check this great service at: http://www.test-net.org/services/traceroute/ or visit FREE SERVICES menu