Joomla Vulnerability Bug

Joomla Vulnerability Problem

I should be honest I am not big fan of Joomla, I don’t really like the quality of their code base and the architecture of their solution at least when it is in comparison with the current state of WordPress for example.

Anywho 2 days ago Joomla gave me quite a scare. One ‘hacker’ – kid with nothing better to do – exploited one dangerous Joomla vulnerability.

There was apparently BUG in the file upload and in the com_media administration component, which BOTH bypass the user session check.

This Joomla vulnerability give you permission to upload files to  every folder in the site, which could be quite dangerous ‘feature’ if the site was in the hands of better (real) hacker.

First the media library present you with nice window which you can reach on:

Joomla Vulnerability

Afterwards the upload file functionality permits you to upload file without any authentication.

This bug is so obvious and so dangerous that I am only let to believe that it was left on purpose.

Joomla Vulnerability Solution


Now let’s try to fix this bug:

1. Check if you have everywhere but mainly in the file /administrator/components/com_media/media.php:

defined('_JEXEC') or die;

2. Restrict the assess for guests:

// Access check: is this user allowed to access the backend of this component?
if (JFactory::getUser()->guest) {
    return JError::raiseWarning(403, JText::_('JERROR_ALERTNOAUTHOR'));

Or if you prefer 404 message

// Access check: is this user allowed to access the backend of this component?
if (JFactory::getUser()->guest) {
    return JError::raiseWarning(404, JText::_('JERROR_LAYOUT_PAGE_NOT_FOUND'));


Maybe that is not the most elegant solution but it still fixes successfully one really dangerous security hole.

If you have better suggestions I will be happy to hear them :)


More Joomla Vulnerability examples you can find under:

If you want to test the ones that are already exploited go to specific vulnerability and scroll down to references:

joomla vulnerability references

There you can find Metasploit code or manual explanation of  the exploit.

You can also try the direct link:

  • Dimps1

    Bless you, Bless you! I’ve been battling with this for over 6 months.

    This vulnerability was discovered over a year ago, and upgrades to plug this for all Joomlas (1 – 3) have been around for a while. However, once you’ve been hacked, it’s really hard to fix, The upgrades don’t work. I have 18 Joomla websites, all upgraded regularly, but only the one that got hacked with a Shell 38 has this vulnerability that shows. The others don’t. So, if your site and all its extensions are up to date, I suspect your site was hacked too at some stage.

    You are right: it’s not an elegant solution, it would be preferable to have one of those standard 404 messages, but at this stage I could not give a hoot, it’s only a hacker that will see it;). Standard redirects don’t work either, nor does upgrading (with all that entails!) to another version like 3.3.6.

    So far, your’s is the only solution I’ve found that works.
    Many Thanks

    • Dimps1

      Oops – it did not work on the 2.5.27 version which was not wound back a year, only the 3.3.6. Damn…

      • Kalina Todorova

        we can fix that :) what happens in 2.5.27?
        Have you encountered other vulnerability bugs?

    • Kalina Todorova

      If you prefer Page not found just change the following line:

      return JError::raiseWarning(404, JText::_(‘JERROR_ALERTNOAUTHOR’));


      return JError::raiseWarning(404, JText::_(‘JERROR_LAYOUT_PAGE_NOT_FOUND’));

      the end result should be something like the picture :)