Executive summary: It is possible for a remote attacker to extract a remotely hosted archive while you are extracting a backup archive / installing an update, depending on your server settings. The attack is NOT possible at any other time. Merely having our software installed DOES NOT make your site vulnerable. The vulnerability was discovered and reported by Johannes Dahse of Horst Görtz Institute for IT-Security (HGI), Ruhr-University Bochum, Germany.
Merely having the affected software installed DOES NOT allow an attacker to compromise (hack) your site. An attacker has to attack at precisely the right moment: while a backup archive or Joomla! update package is being extracted at your site.
The affected software use Akeeba Restore (restore.php) to extract backup archives and update packages of the ZIP, JPA and JPS format. In order to protect from abuse by third parties the restore.php file won’t work until the software it’s used with generated a file called restoration.php. That file contains a cryptographic key which is used to authenticate the commands sent to restore.php.
The restoration.php file is created right before a. you extract a backup archive with the integrated restoration feature of Akeeba Backup / Akeeba Solo and b. you extract the Joomla! update package using Admin Tools, Akeeba CMS Update and Joomla! Update. The file is immediately removed after the extraction is complete. When the file is not present the restore.php file refuses any and all commands. Therefore, when you are not extracting a backup archive or updating your site it is not vulnerable to any attacks.
There is a bug discovered in restore.php which only appears when restoration.php is present, i.e. while a backup or update archive is being extracted on your site. Normally, only encrypted commands should be processed. Due to the bug you can bypass the encryption and send arbitrary commands to restore.php and only while it is extracting a backup or update archive. A malicious user with advanced knowledge could craft a special command message which would cause restore.php to extract a remotely stored archive to your site.
For this attack to work there are several conditions which must be met at the same time:
Due to the special conditions required merely having the affected software installed DOES NOT make your site vulnerable. However, this security issue can be used for targeted attacks against valuable targets. It’s worth noting that this kind of attack does leave a remarkable audit trail in the server log files.
We have released new versions of Akeeba Backup for Joomla!, Akeeba Backup for WordPress, Akeeba Solo and Akeeba CMS Update in their currently maintained version branches.
Due to the severity of this security issue we are also releasing new versions of the unsupported, but affected, version branches of Akeeba Backup for Joomla! and Admin Tools. These new versions do not imply any change in our support policy. They are provided as a courtesy. The Compatibility page on our site has been updated accordingly.
Moreover we have been in touch with the Joomla! project. New versions of Joomla! 2.5 and 3.x will be released shortly today.
If you are no longer a subscriber you DO NOT need to re-subscribe to get this security issue fixed. Instead follow these manual mitigation measures. Additionally, if you are using an old and unsupported version of Joomla! you can follow the same instructions.
Joomla! 2.5 / 3.x: administrator/components/com_joomlaupdate/restore.php
Akeeba CMS Update: administrator/components/com_cmsupdate/restore.php
Akeeba Backup for Joomla! Professional: administrator/components/com_akeeba/restore.php
Admin Tools 2.0.0 to 2.4.4: administrator/components/com_admintools/restore.php
VERY IMPORTANT: You may find other files called restore.php on your site. DO NOT REPLACE THEM. They are not the same file. Replacing them will cause problems with your site.
The vulnerability was discovered and reported by Johannes Dahse of Horst Görtz Institute for IT-Security (HGI), Ruhr-University Bochum, Germany. A working proof of concept exploit was presented to us and the Joomla! Security Strike Team. The full disclosure of the vulnerability will be publicly released by Johannes shortly.
The overall risk severity for this security issue according to the OWASP methodology is High. More specifically, the likelihood is Medium (advanced knowledge and specific conditions required) and the impact is High (can lead to full compromise of the site).
CVE: not available at the time of this writing; please consult joomla.org