Login Form Module Hack

[aetherwizard]

Steps to reproduce the issue

New install of Joomla 3.3.6, enable "Encrypt Login Form" in the "Login Form" module, then login with superuser credentials.

Expected result

One would expect to login to the backend.

Actual result

My login presents a French language web site selling jewelry with my domain and with a fake https url. When the encryption is turned off, the fake login disappears. This is clearly embedded in the code and not something coming from the browser or a hacked directory.

System information (as much as possible)

Apache Version 2.2.29
PHP Version 5.3.29
MySQL Version 5.5.40-cll
Architecture x86_64
Operating System linux
Joomla 3.3.6
Browser Chromium Version 39.0.2171.65 running on Ubuntu 14.04 (64-bit)

Additional comments

[brianteeman]

This tracker is for issues with the core code of joomla. For support please use the forum http://forum.joomla.org and in this specific case then security forum.

[aetherwizard]

If you are not interested in fixing this obvious hack, it is your problem.
I disabled the offending module and replaced it with something else.

David Thomson
Secrets of the Aether
https://sites.google.com/site/qadi16pi2/home/secrets-of-the-aether

On Fri, Dec 12, 2014 at 1:50 AM, Brian Teeman notifications@github.com
wrote:

Closed #5407 #5407.

—
Reply to this email directly or view it on GitHub
#5407 (comment).

[zero-24]

@aetherwizard

This is clearly embedded in the code and not something coming from the browser or a hacked directory.

Please have a look into the code that handle the login and compare it with your code.
Frontend:
https://github.com/joomla/joomla-cms/tree/staging/modules/mod_login

Backend:
https://github.com/joomla/joomla-cms/tree/staging/administrator/modules/mod_login

There is nothing in the Core that redirects to a external website.

If you use the default joomla core login module.

New install of Joomla 3.3.6, enable "Encrypt Login Form" in the "Login Form" module, then login with superuser credentials.

Please try again with: https://github.com/joomla/joomla-cms/releases/download/3.3.6/Joomla_3.3.6-Stable-Full_Package.zip

Please check if you have a TLS/SSL Certificat enabled for you domian. If yes check it with your host that it is not a bad configuration.

One would expect to login to the backend.

Please make sure you use this URL for the Backend
https://www.example.org/administrator (replace example.org with your domain)

This is clearly embedded in the code and not something coming from the browser or a hacked directory.

Please disable all 3Party Extensions and try it from a other computer with different Browsers. (to be sure that it is not your host that is infected.

[aetherwizard]

I said, "One would expect to login to the backend."

It was late at night. I should have written, "One would have expected to
login as a registered user."

Please disable all 3Party Extensions and try it from a other computer
with different Browsers. (to be sure that it is not your host that is
infected.

This situation occurred from a brand new install. There were no third party
extensions of any kind loaded at that time. I tried this from two different
computers with two different browsers and operating systems. I got the same
redirection from both machines. (Chromium on Ubuntu 14.04 and Chrome on
Windows 7, all completely updated)

The Joomla 3.3.6 distribution comes from Installatron located in my host's
CPanel. At this point, considering all that I have yet to do and have done,
I am not going to reinstall different distributions to hunt this down. I
mentioned it here for the information of the developer community as it
seemed like an outright dirty hack.

I disabled the Login Form module and installed a different login module
from Joomla Extensions. It works fine and there are no more redirects. That
is all I can do on this at this time. I have about a dozen Joomla
installations to get running and migrate entire sites, which is going to
take me a couple months, at least.

David Thomson
Secrets of the Aether
https://sites.google.com/site/qadi16pi2/home/secrets-of-the-aether

On Fri, Dec 12, 2014 at 12:40 PM, zero-24 notifications@github.com wrote:

@aetherwizard https://github.com/aetherwizard

This is clearly embedded in the code and not something coming from the
browser or a hacked directory.

Please have a look into the code that handle the login and compare it with
your code.
Frontend:
https://github.com/joomla/joomla-cms/tree/staging/modules/mod_login

Backend:

https://github.com/joomla/joomla-cms/tree/staging/administrator/modules/mod_login

There is nothing in the Core that redirects to a external website.

If you use the default joomla core login module.

New install of Joomla 3.3.6, enable "Encrypt Login Form" in the "Login
Form" module, then login with superuser credentials.

Please try again with:
https://github.com/joomla/joomla-cms/releases/download/3.3.6/Joomla_3.3.6-Stable-Full_Package.zip

Please check if you have a TLS/SSL Certificat enabled for you domian. If
yes check it with your host that it is not a bad configuration.

One would expect to login to the backend.

Please make sure you use this URL for the Backend
https://www.example.org/administrator (replace example.org with your
domain)

This is clearly embedded in the code and not something coming from the
browser or a hacked directory.

Please disable all 3Party Extensions and try it from a other computer with
different Browsers. (to be sure that it is not your host that is infected.

—
Reply to this email directly or view it on GitHub
#5407 (comment).

[roland-d]

@aetherwizard You are better of getting an official distribution of Joomla through http://www.joomla.org/download instead of Installatron. The version you get from Installatron seems to be infected.

The Joomla 3.3.6 distribution comes from Installatron located in my host's CPanel.

So you used the same infected files on both sites, this way you will see the same behavior.