Websites utilizing the Novarain/Tassos Framework are exposed to severe security vulnerabilities, allowing unauthorized file access, deletion, and SQL injection attacks. These issues are critical as they could lead to remote code execution and complete administrative control over unpatched systems. It is vital for users to promptly apply the vendor’s updates to address these security flaws.
Details of the Vulnerability
The vulnerabilities were identified during a source-code analysis of the Novarain/Tassos Framework plugin (plg_system_nrframework), revealing inadequately secured AJAX handler processes. This weakness enables attackers to execute PHP classes within the Joomla site structure, turning internal functionalities into accessible pathways for attacks.
Specific classes within the framework are found to mishandle CSV loading, allowing for arbitrary file reading by the web server user. Another class that deals with file deletion is vulnerable to path manipulation, while a third class involved in dynamic field population is susceptible to SQL injection, permitting unauthorized database access.
Impact on Joomla Extensions
Several widely used Joomla extensions are affected, including Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, and Smile Pack. These extensions incorporate the vulnerable framework, thus posing indirect risks to numerous sites.
The affected versions range from v4.10.14 to v6.0.37 for the Novarain/Tassos Framework and various versions for the mentioned extensions. As the attack vector exploits unauthenticated AJAX requests, it is crucial to implement security measures such as restricting access and enforcing additional authentication protocols.
Mitigation and Recommendations
The vendor has released updated builds for the affected framework and extensions, which are accessible through official channels and Joomla’s update mechanisms. Administrators must update all Tassos components immediately or disable the vulnerable plugin and related extensions on exposed sites until the patches are applied.
As an additional security measure, operators should limit or filter com_ajax traffic at the server or WAF level and scrutinize logs for any suspicious task=include requests, CSV-related AJAX activities, or unexplained file deletions.
These vulnerabilities were uncovered by security researcher p1r0x in collaboration with SSD Secure Disclosure. Immediate action is required to safeguard websites from potential exploitation.
Stay informed about the latest cybersecurity developments by following us on Google News, LinkedIn, and X. For further insights or to share your stories, feel free to contact us.
