Paladion, a global cyber defense company, recently discovered vulnerabilities in extensions for the content management system Joomla that could leave users exposed to hackers. As an open source software, Joomla has more than 2 million live users and contributors. Its popularity has also prompted other coders and companies to produce more than 8,000 extensions to offer additional handy features. However, in certain cases, use of some of these extensions exposed users to security risks and attacks.
As part of its continual, intensive cybersecurity monitoring and research, Paladion found instances of data not being validated when being exported from Joomla extensions to a CSV file format. Paladion security expert Suresh Narvaneni, who found the flaws, said, “This vulnerability made it possible for an attacker to spread malware via spreadsheets such as Microsoft Excel and LibreOffice Calc. Unauthorized remote machine access was also possible.”
Narvaneni identified the issue in specific Joomla extensions from Acyba and notified Joomla immediately. In addition, a missing validation on a URL field when creating a new company record and a vulnerability to cross-site-scripting (XSS) were found in the JS Jobs extension from Joom Sky.
Joomla then contacted the developers for the extensions concerned, with issues being fixed within one day. Joomla also published a note on the vulnerability at https://vel.joomla.org/articles/2140-introducing-csv-injection. The note related how special characters in exported data could be interpreted as formulae (CSV formula injection) or as commands to open programs such as Windows Power Shell. Suresh added, “An additional risk was the exfiltration of data from spreadsheets. Yet another was the tendency of users to ignore security warnings in spreadsheets they believe to be safe because they download them from their own websites.”