Acajoom Component for Joomla! <= 3.2.6 Backdoor Detection

NASLDB: Acajoom Component for Joomla! <= 3.2.6 Backdoor Detection

General

ID: 39482
Name: Acajoom Component for Joomla! <= 3.2.6 Backdoor Detection

Summary: Tries to execute a command

Credits: Tenable Network Security, Inc.

Classification

Risk: –

CVSS: –
CVSS Base Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Port: 80
Family: CGI abuses
Type: Remote

Description

The remote host is running Acajoom, a third-party component for
Joomla! for managing mailing lists, newsletters, auto-responders, and
other sorts of communications.

The version of Acajoom installed on the remote host reportedly
contains a backdoor in the ‘self.acajoom.php’ script. By calling this
script and setting the ‘lang’ parameter to ‘en-g’, an unauthenticated
remote attacker can pass arbitrary input via the ‘s’ parameter to an
‘eval()’ call, to be executed subject to the privileges of the web
server user id.

Note that there is also reported another backdoor involving the
‘GetBots()’ function in ‘install.acajoom.php’, which emails
information to an address in Russian when the component is installed,
although Nessus has not checked for it.