Joomla Tassos Framework Flaws Enable SQLi and File Attacks

Joomla sites using Novarain/Tassos Framework face critical vulnerabilities allowing unauthenticated file read, deletion, and SQL injection. These lead to admin takeover and RCE via chained exploits. The flaws hit plg_system_nrframework plugin and bundled extensions like Convert Forms and EngageBox.

Independent researcher p1r0x discovered the issues through source code review. The AJAX handler processes task=include without validation, exposing internal PHP classes with onAjax methods as remote gadgets. Attackers invoke these remotely.

Three attack primitives emerge. A CSV loader bypasses file checks for arbitrary reads by webserver user. A remove action calls unlink() on any path. Dynamic field population injects into database queries for table dumps.

Complete Attack Chain

Attackers chain the primitives systematically:

Attackers start with SQL injection to dump admin session data from Joomla database tables. They pivot to backend login using stolen sessions. File deletion removes security files like .htpasswd. Finally they upload malicious extensions or modify templates for persistent RCE.

No authentication required. Works against internet-facing sites with plugin enabled. Common hardening like admin restrictions fails against unauthenticated access.

Affected Extensions List

Extension	Vulnerable Versions	Update Required
Novarain/Tassos Framework (plg_system_nrframework)	v4.10.14 – v6.0.37	Latest vendor build
Convert Forms	v3.2.12 – v5.1.0	Latest vendor build
EngageBox	v6.0.0 – v7.1.0	Latest vendor build
Google Structured Data	v5.1.7 – v6.1.0	Latest vendor build
Advanced Custom Fields	v2.2.0 – v3.1.0	Latest vendor build
Smile Pack	v1.0.0 – v2.1.0	Latest vendor build

Sites inherit risk through bundled framework. Vulnerable versions span years of deployments.

Technical Breakdown

File Read Primitive: CSV loader skips extension validation. Read configuration.php, wp-config.php equivalents, or any web-accessible file.

File Deletion Primitive: Direct unlink() call deletes logs, .htaccess, security files without checks.

SQL Injection Primitive: Unsanitized parameters in dynamic field queries. Dump users table, session data, arbitrary columns under DB user privileges.

Chaining sequence:

1. SQLi → Extract admin sessions
2. Backend login → Admin privileges
3. File delete → Remove defenses
4. Extension upload → Persistent RCE

Vendor Response Status

Tassos released fixed builds across framework and extensions. Updates available through official downloads section using Download Key authentication.

Standard Joomla update mechanisms deliver patches. Sites must enable auto-updates or manually download from vendor.

Disable plg_system_nrframework immediately if updates unavailable. This breaks dependent extensions temporarily.

Immediate Mitigation Steps

• Update all Tassos components to latest versions
• Disable plg_system_nrframework plugin on exposed sites
• Filter com_ajax traffic at webserver/WAF level
• Review logs for task=include requests
• Monitor for CSV-related AJAX calls
• Check for unexplained file deletions

Plugin secrets provide no protection post-compromise. Attack primitives bypass all authorization layers.

Log Indicators of Compromise

• POST requests to ?option=com_ajax&group=nrframework&plugin=nrframework&format=json with task=include
• Unusual CSV file handling in AJAX logs
• Missing security files (.htaccess, .htpasswd)
• New admin sessions from unknown IPs
• Modified templates or rogue extensions

Attack Impact Scope

Impact	Description	Scope
Data Theft	Config files, user data, sessions	Full database
Site Defacement	Template modifications	Persistent
RCE	Malicious PHP execution	Server control
Lateral Movement	Admin credentials stolen	Network access

FAQ