The Joomla! Forum ™

Joomla-extension perForms acute at risk.

A botnet operator uses currently a yet unknown vulnerability in the joomla extension perForms, to install an IRC bot. Infected computers can be identified by a running process with name httpdse and an IRC connection outgoing from it. The used programming fault is in the php file components/com_perform/perform.php. It includes external files by the global parameter $mosConfig_absolute_path, without checking for manipulation before. An attacker can under circumstances load arbitrary malcious php code, if the webserver is running with register_globals=on. The botnet uses google to search for other possible victims. According to Nepenthes developer Markus Kötter the botnet currently is about 100 compromised servers and is growing.

A comparable vulnerability was lately discovered in the extension Galleria. Possibly it is also present in other modules. The promlem with vulnerable extentions is allready known by the joomla developers. They recommend to all joomla users, to check php files of theire extensions. They should at the beginning have a line as

defined( '_VALID_MOS' ) or die( 'Direct Access not allowed.' );

which shoud in case be added when missing. The code secures scripts from a direct call how it is necessary for most exploits. Also it is imperative recommended to run the PHP-webserver with register_globals=off. This setting in php.ini protects from a big part of the known and yet unknown vulnerabilities in in PHP-scripts. (cr/c't)

If already compromised, will inserting

defined( '_VALID_MOS' ) or die( 'Direct Access not allowed.' );

in all .php files and turning off globals take care of this?

Not sure if anybody already has done this. I have contacted the developer in question about this issue.

Not sure if anybody already has done this. I have contacted the developer in question about this issue.

But what about my content, the forms I´ve created, will they disappear when I uninstall the old one?

I have same problem as Duncans When register globals turned off I cannot get form via the main menu item.

Register globals turned off by adding "php_flag register_globals off" in htaccess files

Any advice and help?

Norman

I have error when try to instal v2. Anyone else with this problem?

If you will open up performs.php in an editor and search for the term "formId", you need to change this to "formid".  Then it will work with register globals = off and with php.ini or your server php configuration set to register globals = off as well.