Akeeba Patches Bypass Vulnerability in Joomla

The developers behind Akeeba fixed an outstanding issue this week that could have let anyone download users’ site backups, passwords and user lists.

The developers behind Akeeba, an extension for content management systems that lets users backup their work, fixed an outstanding issue this week that could’ve let anyone download site backups, passwords and user lists.

Because of the sheer difficulty it takes to exploit the bug, the vulnerability had managed to stay undetected for more than four years.

An open-source backup extension for CMS platforms such as WordPress and Joomla, Akeeba has been downloaded over eight million times.

Marc-Alexandre Montpas, a researcher for Sucuri, discovered the vulnerability during a routine audit on Monday and while he wouldn’t release a proof of concept, he did briefly describe how it could be exploited in a blog post on Thursday.

The vulnerability is technically only present on Joomla websites that run Akeeba in “enable front-end and remote backup” mode and stems from a problem in the way a JSON API in the extension handled user authentication when an encrypted request is received.

The API is complex, as Montpas notes, it uses AES encryption with the cipher-block chaining (CBC) and counter (CTR) encryption modes.

It’s for that reason that triggering the vulnerability wouldn’t be easy. Akeeba even makes a point, in an advisory regarding the vulnerability, to say that it’s be “nearly impossible” to exploit unless an attacker was an “experienced cryptanalyst,” adding that a hacker would have to make ‘thousands’ of requests to the server to obtain their encryption vector.

According to Montpas, the attacker would have to brute force a JSON payload one character at a time to converse with the API like a legitimate user. Once they started a back and forth though, an attacker would be able to bypass the AES crypto defenses Joomla has in place and secure access to any backups created with Akeeba.

“With a copy of the backups, an attacker can find your database passwords (stored at configuration.php) and the user list along with their hashed passwords and hashed password-reset tokens,” Montpas stressed on Thursday.

While Akeeba insists the vulnerability would be “extremely difficult to use in a real world situation,” it still went ahead and pushed a security update (3.11.x for Joomla) for the issue on Wednesday.

While WordPress users don’t appear to be at risk – the vulnerability is confined to Joomla for the time being – they can also update to the latest version (1.0.x for WordPress) nonetheless.

Both Akeeba and Sucuri are urging use to upgrade to the new versions by going to Extensions, Extensions Manager, Updates and installing the updates ASAP.

Suggested articles