mySites.guru
|
| |
|
|
Another Joomla Extension zero-day, and another extension provider drops Joomla 3 support
Today we announce a serious critical vulnerability, already being exploited, in Balbooa Forms, a popular Joomla form builder. Up to and including version 2.4.0, anyone could upload a PHP file through a public form and run it, with no login and no token. That is full remote code execution from the open internet, and it was already being exploited when we found it. It is fixed in 2.4.1, so if you run Balbooa Forms anywhere, update now. And breaking today: JoomShaper has stopped patching Joomla 3 across SP Page Builder, Helix, and the rest of its range, with no security fixes regardless of severity. More on both below.
A flaw like that is only half the story. What usually costs people more is what happens after, because a site rarely stays clean after one pass. So the rest of this issue is about actually clearing a compromise: the reinfection hiding in a crontab you can't see, why the second wave does the real damage, how to delete thousands of malicious .htaccess files at once, and how to tell suspect content from hacked files when you're staring at a scan and not sure what to trust.
All guides are free to read on the blog
|
|
|
|
Zero-day
Balbooa Forms – anyone could run code on your Joomla site
The frontend upload in Balbooa Forms took a file from anyone, with no login, no token, and no check on the file type. A single request could drop a PHP file into a public folder and run it: unauthenticated remote code execution, the worst outcome a web flaw can have. It was being exploited in the wild before the patch shipped. Balbooa fixed it in 2.4.1 within a day of a private report. Update every install, then check any older site for tampering.
|
|
|
|
New
The Helix3 defacement that file scanners never find
The "Hacked by AntonKill" defacement is hitting Joomla sites through the Helix3 framework, and it hides where most cleanups never look: the payload sits in the database, not in a file. Scan the filesystem and you'll come up clean while the defacement keeps serving. This post shows where it lives, how to clear it in one click, and how to find every affected site in your account.
|
|
|
|
New
JoomShaper just stopped supporting their Joomla 3 extensions
Breaking today: JoomShaper, the maker of SP Page Builder and the Helix framework, has ended support for the Joomla 3 versions of all its products. Their words: "No security patches, regardless of severity." If a critical flaw turns up in the Joomla 3 build of SP Page Builder tomorrow, it does not get fixed. It's a defensible call, but it leaves a lot of live sites exposed, and JoomShaper's own extensions have thrown up serious flaws lately. Here's who is affected and what to do.
|
|
|
When a site does get hit
|
|
|
|
|
|
|
|
Need help with your site?
Phil Taylor – Fixing websites since 2004
|
Found something wrong with your Joomla or WordPress site? If it were simple, you'd have fixed it already. I offer same-day expert help at a flat rate of £120 per incident. No hourly billing surprises.
✓ Hacked or compromised sites
✓ PHP errors and white screens
✓ Upgrades and PHP 8 compatibility
✓ Performance and hosting issues
|
If I can't add value, you don't pay
|
|
|
|