 mySites.guru
|
| |
|
|
Two more Joomla zero days landed today
It has been a relentless week for Joomla security. Three separate zero days in widely installed extensions, two of them confirmed today, and they all come down to the same thing: an upload endpoint that takes a file from anyone, with no login and no check on what the file is. Drop a PHP shell, run it, own the site.
None of this is new. These flaws have been sitting in extension code for years. What changed is how quickly they get found. Point AI at an extension's source and ask it to flag every upload path that skips its login check, and a job that used to take a careful afternoon now takes a few minutes. That cuts both ways, attackers run the same trick. So more of these are turning up, closer together, and getting exploited almost the moment they appear.
Here is what dropped this week, worst first: the SP Page Builder zero day that is actively planting fake Super Admins, the iCagenda zero day we found and reported ourselves, and the ongoing JCE editor wave we built a dedicated tool to catch.
All three posts are free to read on the blog
|
|
|
|
Zero day – exploited now
SP Page Builder is being used to plant fake Joomla admins
SP Page Builder is one of the most installed page builders for Joomla, and its asset.uploadCustomIcon task accepts a file upload with no login and no type check. Attackers are using it right now to upload a PHP shell, then create hidden Super Administrator accounts (the giveaway is an email ending in @secure.local) and drop a file manager backdoor in several spots for persistence. A WAF that blocks the JCE exploits does not necessarily block this one. The fix is 6.6.2. Update every site, then check your admin list and clean anything that was hit — mySites.guru flags the rogue admins and the dropped shells across all your sites automatically.
|
|
|
|
Zero day – we found it
We found and reported a zero day in iCagenda
iCagenda is a popular Joomla events component, and it carried the same flaw: an unauthenticated file upload that hands an attacker full remote code execution. We found it, confirmed it was being exploited, and reported it responsibly to the developer. To their credit, they shipped 4.0.8 the same day. If you run iCagenda, update to 4.0.8 now. Anything below it should be treated as vulnerable, and any site that was on an older version should be checked for a compromise.
|
|
|
|
New tool
And the JCE editor wave is still running, so we built a tool for it
The JCE profiles hack is the same trick at a much bigger scale: an unauthenticated profile import (patched in JCE 2.9.99.5) used to re-enable PHP uploads and drop a webshell. It took down three of the Joomla project's own flagship sites. mySites.guru now has a dedicated check that finds the rogue editor profiles and the webshells this attack leaves behind, across every connected Joomla site, then lets you remove them and patch JCE from one screen.
|
|
|
|
Three in one week is the pace now, not a bad fortnight. The bugs were always there; they are just being found faster. The problem is you cannot patch a flaw you do not know your sites carry. That is the whole reason mySites.guru indexes every extension on every site you connect and builds a targeted check the day an attack like this shows up. There will be a next one, and when it lands you want to already know which of your sites are running the thing it targets.
|
|
|
|
Need help with your site?
Phil Taylor – Fixing websites since 2004
|
Found something wrong with your Joomla or WordPress site? If it were simple, you'd have fixed it already. I offer same-day expert help at a flat rate of £120 per incident. No hourly billing surprises.
✓ Hacked or compromised sites
✓ PHP errors and white screens
✓ Upgrades and PHP 8 compatibility
✓ Performance and hosting issues
|
If I can't add value, you don't pay
|
|
|
|
