Maintaining a safe environment for your website and campaigns is of critical importance, and the security of your email marketing tool is our first priority. We’ve proactively addressed a crucial concern regarding the templates thumbnail generator. This vulnerability, present since version 6.7.0 and up to version 8.4.6, has been effectively mitigated in version 8.5.0, ensuring the integrity of your email campaigns tool. We encourage prompt updates to benefit from this protection.
We have received the help of David Jardin, head of the Joomla security team and Sigrid Gramlinger, Joomla release team lead.
Vulnerability Addressed:
Unauthorized file creation: This vulnerability could allow the creation of malicious PHP files through our templates thumbnail generator. Once created, these files can provide an attacker full access to your website including all Joomla files, database credentials in the configuration.php file and your database content including user rows. This issue has been addressed to prevent the use of this vulnerability.
How to update?
To update to the latest version of AcyMailing and benefit from this security patch, you can use the extensions update page on Joomla websites. You can also manually download the latest version from your account page (click the “Download” button once logged in on our website to be taken to your download area) then install this new version like any new extension: it will update AcyMailing if it is already installed on your website.
Are you impacted?
Once you’ve updated AcyMailing to its latest version, we urge you to look for files named thumbnail_*.php (i.e. thumbnail_999.png?.php) on your websites. Common attack patterns have written those files to media/com_acym/images/thumbnails, however these files could have been created in other folders.
If you come across a similar named file, don’t open it and use FTP or SSH to remove it.
- The most common locations (XXX are random letters – the date of that files might be older than May) may be:
/media/com_acym/images/thumbnails/thumbnail_*.php
/api/includes/xxx.php
/components/com_ajax/xxx.php
/layouts/joomla/icon/xxx.php
/media/com_XXX/xxx.php
/media/com_tags/js/xxx.php
/templates/system/xxx.php - We are preparing a script to scan your site files and automatically detect the ones created through the vulnerability. It can be found on this forum thread for now.
- If you find an infected file, note its creation date and check the files having the same creation date
- Look for files containing “$_COOKIE” as common attack patterns have used it to try to get cookie values.
- If you find malicious files, it is best to change your database password and FTP/SMTP accounts passwords (if they are configured in the global Joomla configuration page).
Our Security Pledge:
Rest assured that your security and the dependability of AcyMailing constitute our steadfast commitment. We encourage you to remain vigilant by consistently updating your AcyMailing installation to the latest security advancements and features.
