Jumi Component for Joomla! <= 2.0.5 Backdoor Detection

critical Nessus Plugin ID 42820

Language:

Synopsis

The remote web server contains a PHP application that is affected by a backdoor allowing the execution of arbitrary code.

Description

The version of Joomla! running on the remote host is affected by a backdoor that is part of a trojan installation of Jumi, a third-party component used for including custom code into Joomla!. An unauthenticated, remote attacker can exploit this backdoor, by using specially crafted input to the 'key' and 'php' parameters of the modules/mod_mainmenu/tmpl/.config.php script, to execute arbitrary PHP code, subject to the privileges of the web server user ID.

Note that Jumi versions 2.0.4 and 2.0.5 are known to have been used as a trojan installation. It is also likely that the backdoor sends information about Joomla's configuration, including administrative and database credentials, to a third party during the component's installation.

Solution

Remove the affected backdoor script, change credentials used by Joomla!, and investigate whether the affected server has been compromised.

Plugin Details

Severity: Critical

ID: 42820

File Name: jumi_2_0_5_backdoor.nasl

Version: 1.17

Type: remote

Family: CGI abuses

Published: 11/16/2009

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.2

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:joomla:joomla%5c%21

Required KB Items: www/PHP, installed_sw/Joomla!

Exploit Available: true

Exploit Ease: Exploits are available

Vulnerability Publication Date: 10/30/2009

Reference Information

BID: 36883

Detections

Analytics