Menu

Topic-icon Admin accounts: the risk is inside

More
2 years 5 months ago - 2 years 5 months ago #2835 by Jose
Hi all,

One of the biggest nightmares for Joomla administrators is that someone adds a new account with administrative privileges. This way, the attacker will be able to access to the entire website without restrictions.

There are many ways to do this:
The most obvious is using the Joomla core mechanism somehow to create a new Super user account. But there are another way that automatically creates a new super user account every time someone logs into the backend. Taking advantage of a XSS vulnerability, a javascript file is loaded from another location and a new Super user account is silently created:



This is the situation before the javascript file is loaded:



Then, someone logs into the backend:



And a super user is created!



To prevent this situations I have added a new feature to Securitycheck Pro: Forbid new admin accounts:



With this option enabled no new accounts with administration privileges will be created, even if someone uses this kind of tricks. We will also be notified about this with a log entry:



Other extensions only check accounts created using the Joomla backend, so they won't be able to detect cases like this.

Regards.
Last edit: 2 years 5 months ago by Jose.

Please Log in or Create an account to join the conversation.

Time to create page: 0.061 seconds
Powered by Kunena Forum

Login or Sign In