Detections
Analytics

Jumi Component for Joomla! <= 2.0.5 Backdoor Detection

critical Nessus Plugin ID 42820

Language:

Synopsis

The remote web server contains a PHP application that is affected by a backdoor allowing the execution of arbitrary code.

Description

The version of Joomla! running on the remote host is affected by a backdoor that is part of a trojan installation of Jumi, a third-party component used for including custom code into Joomla!. An unauthenticated, remote attacker can exploit this backdoor, by using specially crafted input to the 'key' and 'php' parameters of the modules/mod_mainmenu/tmpl/.config.php script, to execute arbitrary PHP code, subject to the privileges of the web server user ID.

Note that Jumi versions 2.0.4 and 2.0.5 are known to have been used as a trojan installation. It is also likely that the backdoor sends information about Joomla's configuration, including administrative and database credentials, to a third party during the component's installation.

Solution

Remove the affected backdoor script, change credentials used by Joomla!, and investigate whether the affected server has been compromised.

See Also

https://www.securityfocus.com/archive/1/507595/30/0/threaded

https://code.google.com/archive/p/jumi/issues/45

Plugin Details

Severity: Critical

ID: 42820

File Name: jumi_2_0_5_backdoor.nasl

Version: 1.18

Type: remote

Family: CGI abuses

Published: 11/16/2009

Updated: 6/5/2024

Configuration: Enable thorough checks

Supported Sensors: Nessus

Enable CGI Scanning: true

Vulnerability Information

CPE: cpe:/a:joomla:joomla%5c%21

Required KB Items: www/PHP, installed_sw/Joomla!

Excluded KB Items: Settings/disable_cgi_scanning

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 10/30/2009

Reference Information

BID: 36883