Critical Joomla Framework Vulnerabilities Expose Sites to RCE and Data Theft Independent researcher p1r0x, in collaboration with SSD Secure Disclosure, has uncovered severe vulnerabilities in Joomla extensions relying on the Novarain/Tassos Framework (now rebranded as Tassos Framework). The flaws enable SQL injection, unauthenticated file reads, and file deletions, which attackers can chain to achieve administrator account takeover and remote code execution (RCE) on unpatched systems. ### Affected Extensions and Framework The vulnerabilities impact multiple popular Joomla extensions that depend on the plg_system_nrframework plugin, including: - Convert Forms (v3.2.12 – v5.1.0) - EngageBox (v6.0.0 – v7.1.0) - Google Structured Data (v5.1.7 – v6.1.0) - Advanced Custom Fields (v2.2.0 – v3.1.0) - Smile Pack (v1.0.0 – v2.1.0) - Novarain/Tassos Framework (v4.10.14 – v6.0.37) ### Exploit Mechanics The flaws stem from weak AJAX handling in the framework, particularly a flawed "include" task that allows attackers to: 1. Bypass file-type checks via improper CSV processing, enabling unauthenticated file reads of sensitive local files. 2. Delete files without authentication by exploiting an unprotected unlink() call in the "remove" action, potentially disabling security measures like .htpasswd. 3. Execute SQL injection through unsanitized parameters in database queries, allowing attackers to dump tables or extract admin credentials. By chaining these exploits, attackers can: - Steal admin session data or credentials via SQL injection. - Authenticate as administrators, upload malicious extensions, or inject code into templates for RCE. - Disrupt site stability by deleting critical files. ### Mitigation and Patches Tassos has released patched versions of the affected extensions and framework. Site owners should: - Update immediately via Joomla’s Extension Manager. - Disable affected extensions or the nrframework plugin if patching is delayed. - Block *?option=com_ajax* endpoints at the web server or WAF level. - Monitor logs for suspicious AJAX calls and scan for signs of compromise (e.g., unexpected file changes). ### Broader Implications This disclosure underscores the ongoing risks in third-party Joomla extensions, particularly those with lax input validation and direct filesystem access. Framework developers are urged to harden AJAX endpoints and enforce stricter security practices, while Joomla users should audit extensions regularly and prioritize automated updates. No CVEs have been assigned yet, but the vulnerabilities demand urgent attention due to their potential for full site compromise.