Joomla! Version: Joomla! 1.0.15 Stable [ Daytime ] 22 February 2008 23:00 UTC
I have not used Joomla before, and am tasked with solving the vulnerability of a server that has been working for a lone time. I have spent a few days poking around at files, and looking to see how things work, reading docs, etc.
I template that goes by the name of "jw_bubblicious" keeps getting config.ini and header.php files put into it. configuration.php had a bunch of php appended to the end of it. Apparently this has happened several times in the past, but only files have been deleted. I am looking to understand this exploit, so I can solve it once and for all.
"jw_bubblicious" seems to have a strange history, the site linked in the xml file is just a spam site now. I can not find a lot about it.
A do not think switching templates is going to make my client happy. Can anyone make any guesses as to how this is happening? It amounts to url's being injected into the pages, via including the config.ini file that contains a huge list of url's.
Does anyone know if "jw_bubblicious" has been taken over by someone else and renamed, or where to go to look to update that file?
Looking at the file, I see SQL code that looks like it would be open to injection attacks.
Code: Select all
$sql = "SELECT m.* FROM #__menu AS m"
. "\nWHERE menutype='". $menutype ."' AND published='1' AND parent=0"
. "\nORDER BY ordering";
Looking at that code, it is wrapped in a function, and $menutype is an argument. Is $menutype sanitized first my Joomla, or is this a vector that could be a problem for me? This of course would only be the database, and I still can not figure out how they were able to write files to the system.
Any suggestions are appreciated.