30 September 2014 Last updated on 30 September 2014

Executive summary: It is possible for a remote attacker to extract a remotely hosted archive while you are extracting a backup archive / installing an update, depending on your server settings. The attack is NOT possible at any other time. Merely having our software installed DOES NOT make your site vulnerable. The vulnerability was discovered and reported by Johannes Dahse of Horst Görtz Institute for IT-Security (HGI), Ruhr-University Bochum, Germany.

Affected software

  • Akeeba Backup for Joomla! Professional, version 3.0.0 up to and including 4.0.2
  • Akeeba Backup Professional for WordPress, 1.0.b1 up to and including 1.1.3
  • Akeeba Solo, 1.0.b1 up to and including 1.1.2
  • Admin Tools Core and Professional, version 2.0.0 up to and including 2.4.4. Later versions are not affected as they do not include the Joomla! update feature.
  • Akeeba CMS Update, version 1.0.a1 up to and including 1.0.1
  • Joomla! 2.5, 3.0, 3.1, 3.2, 3.3 up to and including 3.3.4

Impact

Merely having the affected software installed DOES NOT allow an attacker to compromise (hack) your site. An attacker has to attack at precisely the right moment: while a backup archive or Joomla! update package is being extracted at your site.

Vulnerability disclosure

The affected software use Akeeba Restore (restore.php) to extract backup archives and update packages of the ZIP, JPA and JPS format. In order to protect from abuse by third parties the restore.php file won’t work until the software it’s used with generated a file called restoration.php. That file contains a cryptographic key which is used to authenticate the commands sent to restore.php.

The restoration.php file is created right before a. you extract a backup archive with the integrated restoration feature of Akeeba Backup / Akeeba Solo and b. you extract the Joomla! update package using Admin Tools, Akeeba CMS Update and Joomla! Update. The file is immediately removed after the extraction is complete. When the file is not present the restore.php file refuses any and all commands. Therefore, when you are not extracting a backup archive or updating your site it is not vulnerable to any attacks.

There is a bug discovered in restore.php which only appears when restoration.php is present, i.e. while a backup or update archive is being extracted on your site. Normally, only encrypted commands should be processed. Due to the bug you can bypass the encryption and send arbitrary commands to restore.php and only while it is extracting a backup or update archive. A malicious user with advanced knowledge could craft a special command message which would cause restore.php to extract a remotely stored archive to your site.

For this attack to work there are several conditions which must be met at the same time:

  • A host with URL fopen() wrappers
  • A host which allows direct file writes
  • An attacker with advanced knowledge of PHP to craft the malicious message
  • An attacker able to time his attack at the very short period of time (typically 5 to 90 seconds) it takes for a backup archive or update package to be extracted.

Due to the special conditions required merely having the affected software installed DOES NOT make your site vulnerable. However, this security issue can be used for targeted attacks against valuable targets. It’s worth noting that this kind of attack does leave a remarkable audit trail in the server log files.

Corrective actions for subscribers

We have released new versions of Akeeba Backup for Joomla!, Akeeba Backup for WordPress, Akeeba Solo and Akeeba CMS Update in their currently maintained version branches.

Due to the severity of this security issue we are also releasing new versions of the unsupported, but affected, version branches of Akeeba Backup for Joomla! and Admin Tools. These new versions do not imply any change in our support policy. They are provided as a courtesy. The Compatibility page on our site has been updated accordingly.

Moreover we have been in touch with the Joomla! project. New versions of Joomla! 2.5 and 3.x will be released shortly today.

Corrective actions for non-subscribers (manual mitigation)

If you are no longer a subscriber you DO NOT need to re-subscribe to get this security issue fixed. Instead follow these manual mitigation measures. Additionally, if you are using an old and unsupported version of Joomla! you can follow the same instructions.

  1. Download the restore-hotfix.zip file
  2. Extract the restore-hotfix.zip file on your computer. You will now have a restore.php file.
  3. Upload the extracted restore.php file to the following locations (some of these directories may not exist if you don’t have the respective software installed on your site, in which case you can ignore them):
    • Joomla! 2.5 / 3.x: administrator/components/com_joomlaupdate/restore.php

    • Akeeba CMS Update: administrator/components/com_cmsupdate/restore.php

    • Akeeba Backup for Joomla! Professional: administrator/components/com_akeeba/restore.php

    • Admin Tools 2.0.0 to 2.4.4: administrator/components/com_admintools/restore.php 

VERY IMPORTANT: You may find other files called restore.php on your site. DO NOT REPLACE THEM. They are not the same file. Replacing them will cause problems with your site.

Acknowledgments and additional information

The vulnerability was discovered and reported by Johannes Dahse of Horst Görtz Institute for IT-Security (HGI), Ruhr-University Bochum, Germany. A working proof of concept exploit was presented to us and the Joomla! Security Strike Team. The full disclosure of the vulnerability will be publicly released by Johannes shortly.

The overall risk severity for this security issue according to the OWASP methodology is High. More specifically, the likelihood is Medium (advanced knowledge and specific conditions required) and the impact is High (can lead to full compromise of the site).

CVE: not available at the time of this writing; please consult joomla.org