CVE-2022-23793 Overview
CVE-2022-23793 is a Path Traversal vulnerability (also known as "Zip Slip") affecting Joomla! content management system versions 3.0.0 through 3.10.6 and 4.0.0 through 4.1.0. The vulnerability exists in the TAR archive extractor component, allowing attackers to craft malicious tar packages that, when extracted, write files to arbitrary locations outside the intended extraction directory. This can lead to overwriting critical system files, configuration manipulation, or achieving remote code execution through webshell placement.
Critical Impact
Attackers can exploit this vulnerability to write arbitrary files outside the intended extraction path, potentially overwriting critical configuration files or planting malicious code for remote code execution.
Affected Products
- Joomla! 3.0.0 through 3.10.6
- Joomla! 4.0.0 through 4.1.0
- Any applications utilizing Joomla's TAR archive extraction functionality
Discovery Timeline
- 2022-03-30 - CVE-2022-23793 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-23793
Vulnerability Analysis
This vulnerability falls under CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), commonly referred to as a Path Traversal or "Zip Slip" vulnerability. The flaw resides in Joomla's TAR archive extraction mechanism, which fails to properly validate and sanitize file paths contained within tar archives before writing extracted files to the filesystem.
When a TAR archive is processed, the extraction routine reads the file path information stored within the archive headers. A malicious actor can craft a tar package containing entries with path traversal sequences (such as ../) in the filename. Without proper validation, the extraction process follows these relative path components, allowing files to be written to directories above or outside the intended extraction root.
The vulnerability enables network-based attacks where an authenticated user with extension installation privileges, or an attacker who can influence archive extraction operations, could deploy malicious files to arbitrary filesystem locations.
Root Cause
The root cause is insufficient input validation in Joomla's TAR archive extraction implementation. The extractor does not properly sanitize or validate the destination paths derived from archive entry names before writing files. Specifically, the code fails to:
- Normalize and resolve the final destination path
- Verify that the resolved path remains within the intended extraction directory
- Reject or sanitize entries containing path traversal sequences like ../ or absolute paths
This allows archive entries with crafted filenames to escape the extraction sandbox and write to arbitrary locations accessible by the web server process.
Attack Vector
The attack vector is network-based, requiring no user interaction beyond the initial archive extraction trigger. An attacker would:
- Craft a malicious TAR archive containing files with path traversal sequences in their names (e.g., ../../configuration.php or ../../../tmp/shell.php)
- Upload or deliver the malicious archive through an extension installation mechanism, template upload, or any functionality that processes TAR archives
- When the archive is extracted, the malicious files are written to locations outside the intended extraction directory
The vulnerability mechanism works by embedding traversal sequences within the tar archive structure. When the TAR extractor processes entries, it concatenates the extraction directory with the entry's stored filename. Without proper path canonicalization and boundary checking, a filename like ../../../config/settings.php would cause the extractor to write outside the intended directory.
For detailed technical analysis and proof-of-concept information, refer to the Packet Storm Exploit Analysis.
Detection Methods for CVE-2022-23793
Indicators of Compromise
- Unexpected file modifications or new files appearing outside Joomla's installation directories
- Web server access logs showing requests to newly created files in non-standard locations
- Modified configuration.php or other critical Joomla configuration files with unexpected timestamps
- Presence of suspicious PHP files in system directories (e.g., /tmp/, web root parent directories)
- Audit logs indicating archive extraction operations followed by unauthorized file access
Detection Strategies
- Monitor file integrity for critical Joomla files including configuration.php, index.php, and files in the administrator/ directory
- Implement web application firewall (WAF) rules to detect and block malicious archive uploads containing path traversal patterns
- Deploy endpoint detection solutions like SentinelOne to identify anomalous file write operations by the web server process
- Analyze archive uploads for entries containing ../ sequences before processing
Monitoring Recommendations
- Enable comprehensive file system auditing on Joomla installation directories and parent paths
- Configure real-time alerting for any file modifications outside expected update windows
- Monitor web server error logs for path-related errors that may indicate exploitation attempts
- Implement behavioral analysis to detect archive extraction processes writing to unexpected locations
How to Mitigate CVE-2022-23793
Immediate Actions Required
- Update Joomla! 3.x installations to version 3.10.7 or later immediately
- Update Joomla! 4.x installations to version 4.1.1 or later immediately
- Review web server filesystem permissions to minimize the impact of potential file write exploits
- Audit recently extracted archives and verify no unauthorized files were created outside expected directories
Patch Information
Joomla has released security updates addressing this vulnerability. Organizations should apply the official patches as follows:
- Joomla 3.x: Upgrade to version 3.10.7 or later
- Joomla 4.x: Upgrade to version 4.1.1 or later
The patch implements proper path validation and sanitization in the TAR extraction routine, ensuring that extracted files cannot be written outside the designated extraction directory. For complete patch details and download links, consult the Joomla Security Advisory.
Workarounds
- Restrict extension installation capabilities to only trusted administrators until patches can be applied
- Implement file system permissions that prevent the web server process from writing to directories outside the Joomla installation
- Use a web application firewall (WAF) to filter archive uploads and reject those containing path traversal patterns
- Disable or restrict TAR archive processing functionality if not required for operations
# Restrict web server write permissions to Joomla directories only
# Example for Apache with Joomla installed in /var/www/joomla
chown -R www-data:www-data /var/www/joomla
chmod -R 755 /var/www/joomla
# Ensure parent directories are not writable by web server
chmod 755 /var/www
chown root:root /var/www
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
