Critical Vulnerabilities in Joomla’s Novarain/Tassos Framework Threaten Website Security
Recent discoveries have unveiled significant security flaws within Joomla’s Novarain/Tassos Framework, exposing numerous websites to severe risks, including unauthorized file access, file deletion, and SQL injection attacks. These vulnerabilities could potentially lead to remote code execution and complete administrative control over affected systems. Immediate action is required to mitigate these threats.
Understanding the Vulnerabilities
A comprehensive review of the Novarain/Tassos Framework plugin (plg_system_nrframework) identified three primary security issues:
1. Unauthenticated File Read: An AJAX handler processing the task=include action lacks proper security measures, allowing attackers to invoke PHP classes with an onAjax method. This flaw enables unauthorized reading of files accessible to the webserver user.
2. File Deletion: Another class within the framework exposes a remove action that permits deletion of files specified by the attacker without adequate validation.
3. SQL Injection: A third class, responsible for dynamic field population, processes attacker-controlled parameters into database queries. This vulnerability allows unauthorized reading of database tables and columns under the Joomla database account.
By exploiting these vulnerabilities in sequence, an attacker can extract administrator session data from the database, gain backend access, and deploy malicious extensions or modify templates, resulting in persistent remote code execution.
Impacted Components and Versions
The vulnerabilities affect several widely used Joomla extensions that incorporate the Novarain/Tassos Framework:
– Novarain/Tassos Framework (plg_system_nrframework): Versions 4.10.14 through 6.0.37
– Convert Forms: Versions 3.2.12 through 5.1.0
– EngageBox: Versions 6.0.0 through 7.1.0
– Google Structured Data: Versions 5.1.7 through 6.1.0
– Advanced Custom Fields: Versions 2.2.0 through 3.1.0
– Smile Pack: Versions 1.0.0 through 2.1.0
These extensions inherit the vulnerabilities through the shared framework, making any site utilizing them susceptible to attacks.
Recommended Actions
To protect against potential exploitation, administrators should:
1. Update Immediately: Apply the latest patches provided by the vendor for the Novarain/Tassos Framework and all affected extensions.
2. Disable Vulnerable Plugins: Temporarily deactivate the plg_system_nrframework plugin and related extensions on internet-facing sites until updates are applied.
3. Restrict Access: Implement measures to limit or filter com_ajax traffic at the web server or through a Web Application Firewall (WAF).
4. Monitor Logs: Review server logs for suspicious activity, such as unexpected task=include requests, unusual CSV-related AJAX actions, or unexplained file deletions, which may indicate attempted exploitation.
These vulnerabilities were identified by independent security researcher p1r0x in collaboration with SSD Secure Disclosure. Administrators are urged to act promptly to secure their Joomla installations and prevent potential breaches.
