Joomla version detection has been inaccurate for quite some time. The current joomla_detect.nasl script acknowledges this in a comment. The script’s final attempt at identifying a Joomla version relies on reading a version from a ‘mod_login.xml ‘ file which has not been updated since version 3.0.0 resulting in all vulnerabilities from 3.0.0 onwards being applied to updated Joomla installs.
I couldn’t find where to contribute to the feed beyond a couple of posts that suggested just adding contributions here, so here:
I have found that other version sniffers rely on an alternative to mod_login.xml - ‘/administrator/manifests/files/joomla.xml’ - and added this file as a detection before the ‘mod_login.xml’ detection.
The diff is below:
@@ -190,6 +190,25 @@ foreach dir( make_list_unique( "/", "/cms", "/joomla", http_cgi_dirs( port:port
}
}
+ if( version == "unknown" ) {
+
+ url = dir + "/administrator/manifests/files/joomla.xml";
+ req = http_get( item:url, port:port );
+ buf = http_keepalive_send_recv( port:port, data:req, bodyonly:FALSE );
+
+ if( buf =~ "^HTTP/1\.[01] 200" ) {
+ # <version>3.0.0</version>
+ ver = eregmatch( string:buf, pattern:"<version>([^<]+)</version>" );
+ }
+
+ if( ! isnull( ver[1] ) ) {
+ if( conclUrl )
+ conclUrl += " and " + http_report_vuln_url( url:url, port:port, url_only:TRUE );
+ version = ver[1];
+ concluded = ver[0];
+ }
+ }
+
if( version == "unknown" ) {
# This file version is not really reliable. On e.g. Joomla 4.0.3 this version is:
I’m just copying the detection that was used for the other file but swapping in the alternative manifest. I have tested this against a live target running Joomla 5.4.3 and found it to be accurate provided the server is allowing .xml files to be served.
