Admin accounts: the risk is inside

  • Jose
  • Offline
  • Administrator
  • Administrator
6 years 1 month ago - 6 years 1 month ago #2835 by Jose
Hi all,

One of the biggest nightmares for Joomla administrators is that someone adds a new account with administrative privileges. This way, the attacker will be able to access to the entire website without restrictions.

There are many ways to do this:
The most obvious is using the Joomla core mechanism somehow to create a new Super user account. But there are another way that automatically creates a new super user account every time someone logs into the backend. Taking advantage of a XSS vulnerability, a javascript file is loaded from another location and a new Super user account is silently created:

This is the situation before the javascript file is loaded:

Then, someone logs into the backend:

And a super user is created!

To prevent this situations I have added a new feature to Securitycheck Pro: Forbid new admin accounts:

With this option enabled no new accounts with administration privileges will be created, even if someone uses this kind of tricks. We will also be notified about this with a log entry:

Other extensions only check accounts created using the Joomla backend, so they won't be able to detect cases like this.

Last edit: 6 years 1 month ago by Jose.

Please Log in or Create an account to join the conversation.

Time to create page: 0.170 seconds