Serious Joomla security hole

Ray PenalosaIn case you haven’t heard, Joomla versions 2.5.x and 3.1.x have a big security hole that will allow any user who browses your site to upload malicious PHP files regardless of their permission.

Joomla is a Content Management System (CMS) that can be installed on a web site. It isn’t part of your hosting account by default, so if you haven’t installed it, you are not at risk for this particular security issue.

Joomla already has a filtering mechanism to prevent files with certain extensions from being uploaded through the application. However, the bug allows files with a trailing dot ( . ) to bypass the filter mechanism. Therefore, someone can create a file with a .php extension and include a period at the end, and the malicious file will be uploaded, after which the server will process the file as a PHP application. For example, normally Joomla will not allow a file called somefile.php to be uploaded. However, somefile.php. with a trailing dot, can be uploaded to the affected versions.

Versafe, an online fraud protection company, discovered this serious exploit. If your Joomla application becomes ompromised, your application either can become a phishing site, redirecting browsers to a malicious site that can steal personal information or it can become a repository for malware and Trojan programs infecting anyone who calls on that page.


To solve this problem you should download the latest version of Joomla, and upgrade to the latest version. If upgrading is not an option for you, you can include a line of code that will automatically strip the trailing dot ( . ) from the file name before upload begins, so the upload cannot bypass the media management filtering mechanism.

The file you will need to modify is the file.php file. The file is located under Libraries/Joomla/FileSystem. Within the function makeSafe, add the line:

// Remove any trailing dots, as those aren’t ever valid file names.

$file = rtrim($file, ‘.’);

If this line already exists under file.php, then the exploit has been closed and your Joomla application should be immune from this security hole.

What DiscountASP is doing

On our end, as of today we have updated our Web App Gallery to the latest version of Joomla that already has this patch. Therefore, if you downloaded and installed your Joomla application through our Web App Gallery today, your Joomla application should be protected from this exploit.

However, this security hole is considered to be a “Zero-day exploit” which means that the vendor of the application was unable to react before millions of Joomla applications became susceptible to the security threat. If your site runs the affected versions of Joomla, the chances that your web application is vulnerable to this threat are high and you should take immediate action.

I also encourage you to read these articles for more details on the Joomla exploit.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.