Joomla extension perForms in grave danger

A botnet operator is currently using a previously unknown weak point in the Joomla extension perForms to install an IRC bot on Joomla servers that have the vulnerable extension. Computers infected have a running process called httpdse and an outgoing IRC connection. The programming flaw exploited is found in the PHP file components/com_perform/perform.php. It includes external files via the global parameter $mosConfig_absolute_path without making sure that the parameter has not been manipulated beforehand. Attackers may then be able to download arbitrary malicious PHP code if the web server is running with register_globals=on. The botnet uses the Google search engine to look for other potential victims. It currently has some 100 compromised servers - and counting.

A comparable weak point was recently found in the extension Galleria. It may also be found in other modules. Joomla developers are aware that some extensions have holes. They recommend that all Joomla operators check the PHP files in their extensions. They should contain the line:

defined( '_VALID_MOS' ) or die( 'Direct Access not allowed.' );

Operators should add this if the line is not already there. This query protects scripts from a direct call, which is required for most exploits. It is also highly recommended that PHP web servers be run with register_globals=off. This setting in the file php.ini provides protection against a large number of known and unknown weak points in PHP scripts.

(ehe)