Protection against a critical Joomla file upload security bug

There’s been a lot of discussion recently about a critical Joomla security bug that allows “hackers” to upload malicious PHP script files to Joomla sites, then run them. This would allow hackers to use your site to send spam, or to replace any file on your Web site.

Although our customers running Joomla should always upgrade to the latest versions when available, we’ve also put rules in place to protect against this vulnerability.

Exploit Details

The way this exploit works is that although Joomla prevents evildoers from uploading files with names like evil.php, it doesn’t prevent them from uploading files with an extra dot on the end of the name, such as evil.php..

Strangely, the Apache Web server will run such files as if they were named evil.php. This is a very similar vulnerability to the WordPress problem from December 2009 that allowed people to run PHP files with names like image.php.jpeg.

Since nobody should legitimately be using files with funny names like that (and our logs indicate that none of our customers are doing so), we simply expanded the previous December 2009 mod_security WordPress rules to block this, too. That means that even if any of our customers have not yet updated Joomla, “hackers” won’t be able to take advantage of this bug.

The mod_security Rule

In case it helps other people, here’s the simple mod_security rule to do this:

SecRule REQUEST_FILENAME "\.php[3456]?\.$" "deny,status:412,auditlog"

This rule also protects against similar bugs in other software that allows such file uploads (we could have tried to just block the malicious uploads in Joomla, but this is simpler and more general).

Again, we’ve already applied this rule to our servers, so our hosting customers are protected. But if you run a server for other people (especially one that hosts Joomla sites), you should consider adding this mod_security rule to protect your users, too.