Joomla! core remote file inclusion
Description
Joomla! versions 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, and 3.3.0 through 3.3.4 contain a remote file inclusion vulnerability in the core archive extraction functionality. This vulnerability allows attackers to force the application to extract malicious archive files from remote locations during backup restoration or update installation processes. The vulnerability exists due to insufficient validation of file paths during archive extraction operations, enabling attackers to reference external resources under certain server configurations.
Remediation
Immediately upgrade to a patched version of Joomla!: version 2.5.26 or later for the 2.5.x branch, version 3.2.6 or later for the 3.2.x branch, or version 3.3.5 or later for the 3.3.x branch. Before upgrading, ensure you have a complete backup of your site and database. After upgrading, review server logs for any suspicious archive extraction activities or unauthorized file modifications that may indicate prior exploitation. Additionally, ensure your PHP configuration has 'allow_url_fopen' and 'allow_url_include' disabled if not required for legitimate functionality, as these settings can increase exposure to remote file inclusion attacks.