Proof of concept to install backdoor via unencrypted Joomla update
Latest commit ab51d14 Jul 15, 2016 @hannob initial commit
Permalink
Failed to load latest commit information.
core initial commit Jul 15, 2016
README.md initial commit Jul 15, 2016

README.md

joomla-nohttps-poc

Proof of concept to install backdoor via unencrypted Joomla update

background

The Joomla CMS before version 3.5 used an insecure update process over HTTP.

This is a proof of concept. If you redirect requests to update.joomla.org to an HTTP host containing the files in this repo it will show an update to a fictious version 3.5.99. This 3.5.99 update will install a trivial PHP backdoor.