Yesterday, my day ended delivering a webinar on Joomla security, only to start today with a new critical vulnerability found in a popular Joomla! extension – eXtplorer File Manager. This vulnerability is a classic example of two of the most popular ways to exploit an application: vulnerable plugin and weak login details. Of course as soon as the issue got discovered we started working on protecting our Joomla customers on a server level. Below I will explain the vulnerability, what we did to fix it on our servers, and what you should do if you are not hosted by SiteGround.
eXtplorer File Manager vulnerability explained
eXtplorer File Manager is a full-fledges stand-alone file manager. It also has a Joomla extension that allows you to manage your files directly from the Joomla! administrative area. By installing eXtplorer extension for Joomla you also install a separate eXtplorer administrative interface, of which you may even not be aware. The problem with this stand-alone interface is that the login details for it are automatically created as admin/admin, and at the same time it is publicly accessible by default! Thus, anyone can easily login to the eXtplorer File Manager and then upload any files to your Joomla! Site.
What we did to prevent hackers from accessing vulnerable sites?
Our security team quickly created custom Apache mod_sec rules to filter the requests. This means that if someone tries to access the eXtplorer separate administrative interface the default login details will not work and the login page will be simply reloaded.
If, by any chance, you were using this interface yourself with the admin/admin login details (which we highly doubt any of our customers, who have followed our security tips, would do), you can contact our support for a password reset. If you are using the eXtplorer plugin in the usual way - through your Joomla admin, you should not take any further action.
What to do if you are not hosted by SiteGround?
If you are not hosted on our servers you have two options:
1. The first way to resolve the issue is to immediately change the default password for the eXtplorer separate administrative interface. To do this access the interface at:
Then login and change the password for the default admin username.
2. The second way to resolve the issue is to create an .htaccess file in the com_extplorer folder and add the following line to it:
deny from all
This way the eXtplorer separate administrative interface will not be accessible at all and hackers will not see the login page.
All in all, if your site is hosted on our server you can relax and enjoy the upcoming holidays. If not, you have to change your eXtplorer login details before hackers manage to edit your site and steal important information from your site. Of course, you can always transfer your site to our servers 🙂