[#34138] - [4] Abusing Joomla Upload & Update for other purposes
- Closed
- 23 May 2021
- Medium
- Build: staging
- # 34138
Steps to reproduce the issue
Login to Joomla 4 admin
Click on Joomla is up to date quick icon
Click upload & update tab
Click choose file - select a ZIP file you created with some files (or hacker shells) in it (just as an example zip file with contents)
Click upload & install
enter username and password
click install
Expected result
Joomla checks if its a valid Joomla package file. Aborts gracefully if not. Cleans up its changes only.
Actual result
Firstly you get Invalid Login.
BUT THEN IT DOES EXTRACT ANYWAY!!!
Joomla extracts the contents of the zip file to the root of the Joomla installation
Joomla then deletes the /installation/ folder if it was there (eg, in development environment)
joomla-cms-bot
- | Labels |
Added:
?
|
||
HLeithner
- | Labels |
Added:
?
|
||
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2021-05-23 17:26:07 |
| Closed_By | ⇒ | PhilETaylor | |
| Labels |
Added:
?
Removed: ? |
||
so we should fix the invalid login error message.
No, "we" should fix the fact that it is possible to upload literally anything - and not just a joomla update file - and have Joomla upload it and extract it to the root of the site with zero validation, checking or anything...
Closing as #29763 is already open, for almost a year...
richard67
- | Labels |
Removed:
?
|
||
Confirmed.
Just had the issue when testing a patch.
This comment was created with the J!Tracker Application at issues.joomla.org/tracker/joomla-cms/34138.