JCE Exploit Still Common Within Joomla Powered Sites
In a major security vulnerability was identified within the Joomla Content Editor (JCE) component which allowed files to be uploaded within any security checks being performed. This allowed any 'user' to browse to a specific location and upload any number of files - no matter what the file extension was. A patch was released on the 21st of Februarywhich fixed this issue but sadly, no one kept 'up-to-date' with extension developers/their updates and many didn't update.
In August, this vulnerability was reported to Exploit DB (link here) which outlined the vulnerability and how to use it. This has affected thousands (if not hundreds of thousands) of websites over the years - causing loss of reputation and profits to many businesses.
This exploit has become so well known hackers have even created a 'bot' that scans Joomla! powered websites looking for the specific version of JCE.
How do I know if these 'bots' have been to my website?
If you have access to your log files, you can download them and search for the below words*. If your website is on a dedicated server or similar, your logs should be located within a 'logs' folder above 'public_html' or 'httpdocs'. If however you are on a shared hosting environment - you may need to download them from your hosting control panel.
- The User Agent: 'BOT/0.1 (BOT for JCE)'*
- The request: '/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form'
Is my website being targeted?
These 'bots' don't target one specific website, they will scan as many websites as they can find. They are only interested in finding sites that have the out-dated version of JCE installed within them so they can exploit them for their own gain.
Do I have the vulnerable version installed in my site?
One way to check if you are running an out-of-date version of JCE is by logging into the administrator area of your Joomla! powered website and navigating to:
Extensions -> Install/Uninstall -> Components and look for 'JCE'
As of the 31st of March- the latest version for JCE is 188.8.131.52. If your installed version is less than the latest version, please update as soon as possible.
If 'JCE' isn't within the list of installed extensions, then you don't have it installed within your website and you wont be exploited by the JCE vulnerability. However, just because you don't have JCE installed - it doesn't mean that your website won't be compromised/vulnerable.
In August, a major security vulnerability was identified that affected all versions of Joomla! (Joomla! 1.0, 1.5, 1.6, 1.7, 2.5, 3.x) and if you haven't updated your website since then - your website could easily be compromised.
I've got JCE installed - what do I do now?
If you have got JCE installed within your website - you need to uninstall the old version and install the latest version which can be found at the below URL. Within the Install/Uninstall area simply 'check' the radio button that is to the left of 'JCE' and click the 'Uninstall' button located in the top right corner. This will remove every file that is associated with JCE. As soon as it has been removed, you can simply install the latest version by clicking on the 'Install' link.
You should also consider reviewing your webspace - looking for any files that shouldn't be there. An article that we did previously may help identify whether your website has been compromised.
Why are they doing this?
'Hackers' are broken down into 4 categories which we have outlined below:
- To hide their own identity - they want to use your computer/servers. They will use your computer like an Internet relay chat so they can discuss open activities that they do not want to discuss on their own servers. They store illicit material (pornography, pirated music, pirated software etc.) on your computer so this illegal activity does not lead to their own computer
- Criminal activity - to steal services, valuable files or your personal credentials in order to access your accounts or the accounts of your website visitors. They use this data to gain access to billing, merchant accounts and third party systems
- For profit - they employ hacking techniques to set-up fake E-commerce websites to access credit card details, gain entry to servers that contain credit card details and other forms of credit card fraud
- For fun - they pride themselves on their ability create new programs. They brag to their social circle about any high-profile systems that they've compromised. You can employ more security measures to protect your computer system e.g. Firewalls, anti-spyware etc., but this type of hacker just finds it more of a challenge to defeat the security defences that you put in place
How can I protect my website?
The best way to make sure that your website (and business) aren't effected by this vulnerability is to make sure that you update your website (core Joomla!) and any extensions that you or your web developer has installed.
Where did you get this information from?
Our information is gathered from a number of reliable sources identified below. We also collect data from thousands of Joomla! powered websites that have DMC Firewall installed.
JCE - the developers of JCE published a security article regarding the issue, link here
DMC Firewall - a security extension developed by Web Development Consultancy Ltd
Spider Labs - [Honeypot Alert] JCE Joomla Extension Attacks
* There are multiple variations of the User Agent - this is just the most common version