Flaws in the Joomla Novarain/Tassos Framework Critical security flaws in websites running the Novarain/Tassos Framework allow for unauthenticated file read, file deletion, and SQL injection attacks This article explores vulnerable framework websites. . On unpatched systems, these vulnerabilities could result in remote code execution and full administrator takeover.

Many well-known Tassos extensions are impacted by the problems, which need to be fixed immediately using the vendor's most recent releases. Three fundamental primitives were discovered during a source-code review of the shared Novarain/Tassos Framework plugin (plg_system_nrframework). These primitives were exposed by an AJAX handler that handles the task=include action without the necessary hardening. An attacker can effectively transform internal helper classes into remotely accessible devices by abusing this entry point to call PHP classes under the Joomla site root that implement a onAjax method.

One class in these devices handles CSV loading incorrectly, allowing it to be forced to read any file that the webserver user has access to. In contrast, a different class exposes a remove action that, without further validation, eliminates attacker-supplied paths. A third class, which is utilized for dynamic field population, creates a SQL injection primitive that can read any table and column under the Joomla database account by passing attacker-controlled parameters into database queries.

By chaining these capabilities, an external attacker can obtain persistent RCE by stealing administrator session data from the database, pivoting into the backend, and then deploying a malicious extension or changing templates.

Affected elements and their effects Many popular Joomla extensions, such as Convert Forms, EngageBox, Google Structured Data, Advanced Custom Fields, and Smile Pack, come with the vulnerable framework, so many websites are indirectly exposed to the risk. Versions of Components and Extensions Affected Versions 4.10.14–6.0.37 of the Novarain/Tassos Framework (plg_system_nrframework) Convert Forms from Version 3.2.12 to Version 5.1.0 Versions 6.0.0–7.1.0 of EngageBox Google Structured Data versions 5.1.7–6.1.0 Advanced Custom Fields versions 2.2.0–3.1.0 Smile Pack versions 1.0.0–2.1.0 Specific releases of each extension and the Novarain/Tassos Framework (plg_system_nrframework) are among the affected version ranges; exploitation is feasible as long as the system plugin is left enabled on a website that is accessible over the internet.

Common hardening measures like limiting access to the admin role and adding extra passwords are required because the attack vector only uses unauthenticated AJAX requests. Once an attacker has the ability to read or remove files and query the database, adding plugin-level secrets does not stop compromise. Realistic attack chains allow adversaries to gain super admin sessions through SQL injection, log into the backend, and then use file-write paths as a weapon to run arbitrary PHP code, ultimately taking over the entire website.

In response, the vendor released updated versions of the Tassos Framework and impacted extensions, which can be found via the official downloads page and the regular Joomla update procedures. Independent security researcher p1r0x, working with SSD Secure Disclosure, found the vulnerabilities.

Until patching is finished, administrators should update all Tassos components right away or temporarily disable the plg_system_nrframework plugin and associated extensions on vulnerable sites. Operators should filter or limit com_ajax traffic at the web server or WAF as a defense-in-depth measure. They should also check logs for unusual CSV-related AJAX activity, suspicious task=include requests, or unexplained file deletions that might be signs of attempted exploitation.

X, LinkedIn, and LinkedIn for daily ZeroOwl. To have your stories featured, get in touch with us.