Share
## https://sploitus.com/exploit?id=4BD25E6A-66F0-50E1-B6FD-ECBB9CE515FA
# CVE-2026-48908 โ€” Joomla SP Page Builder Validation and Detection

Laboratory validation of CVE-2026-48908 in the Joomla SP Page Builder component, focused on technical evidence, event reconstruction, and defensive detection opportunities.

The repository documents a controlled test in which the SP Page Builder `asset.uploadCustomIcon` endpoint accepted uploaded icon archives that resulted in PHP artifacts being written under the Joomla media directory. Invoking the uploaded PHP file over HTTP led to command execution as the web server process user. The resulting HTTP, file, process, authentication, and network activity was captured using Apache container logs, Linux `auditd`, `tcpdump`, Docker telemetry, file-change polling, and screenshots from the Windows host.

> [!IMPORTANT]
> This repository contains reports and screenshots only. Offensive exploit code, payload source, raw PCAP files, and raw host evidence packages are intentionally not included. The material is intended for vulnerability validation, SOC engineering, detection development, incident-response preparation, and authorized research.

## Reports

- [English validation report](reports/CVE-2026-48908_SP_Page_Builder_detection_EN.pdf)
- [Polish validation report](reports/CVE-2026-48908_SP_Page_Builder_detection_PL.pdf)

Both reports contain the full test methodology, evidence excerpts, event timeline, file-change evidence, network indicators, mitigation guidance, audit recommendations, and example SIEM logic.

## Repository structure

```text
.
โ”œโ”€โ”€ README.md
โ”œโ”€โ”€ SHA256SUMS.txt
โ”œโ”€โ”€ reports/
โ”‚   โ”œโ”€โ”€ CVE-2026-48908_SP_Page_Builder_detection_EN.pdf
โ”‚   โ””โ”€โ”€ CVE-2026-48908_SP_Page_Builder_detection_PL.pdf
โ””โ”€โ”€ screenshots/
    โ”œโ”€โ”€ 01_poc_upload_and_code_execution.png
    โ”œโ”€โ”€ 02_http_whoami_www_data.png
    โ”œโ”€โ”€ 03_tcp_callback_ncat.png
    โ”œโ”€โ”€ 04_reverse_shell_session.png
    โ””โ”€โ”€ 05_root_access_and_su_failure_redacted.png
```

No exploit source, payload source, raw PCAP, raw Docker evidence package, or DOCX source files are included.

## Test environment

| Role | System |
|---|---|
| Victim host | Ubuntu 24.04.4 LTS, kernel 6.17.0-35-generic, Docker Engine 29.5.3 |
| Target application | Joomla 5.4.7, PHP 8.3.32, Apache HTTP Server, image `joomla:5-php8.3-apache` |
| Component | JoomShaper SP Page Builder |
| Container | `joomla5-builders` |
| Attacker workstation | Microsoft Windows 11 Home 10.0.26200 |
| Joomla service | `http://172.20.10.3:8080` |
| Windows test address | `172.20.10.2` |
| Container address | `172.21.0.3` |
| Test date | 9 July 2026 |

The Joomla webroot `/var/www/html` was backed by the Docker volume `joomla5-builders_joomla_data`. This matters for detection: `docker diff` did not provide detailed visibility into file changes inside the volume, so file monitoring had to rely on volume-aware file listings and host-side monitoring guidance.

## What was validated

The test was performed in an isolated and authorized laboratory environment. The validation covered the following sequence:

1. Joomla 5 was deployed in Docker with SP Page Builder installed.
2. A public project listed in References was used as the initial validation reference.
3. The SP Page Builder `asset.uploadCustomIcon` endpoint accepted uploaded icon archives in the laboratory environment.
4. New directories and files were created under `/media/com_sppagebuilder/assets/iconfont/`.
5. The uploaded content included mixed-case PHP extensions and an `.htaccess` file that changed PHP handling for the `.PHP` extension.
6. The uploaded PHP artifact was invoked over HTTP and executed controlled commands.
7. A one-time TCP callback to the Windows host confirmed outbound connectivity.
8. A controlled reverse shell test confirmed interactive command execution as the web server user.
9. Attempts to access `/root` and to switch user with `su -` failed.
10. Evidence from victim-side telemetry and Windows screenshots was correlated into a single UTC timeline.

The reports intentionally document evidence and detection logic without distributing a reusable exploit or payload implementation.

## Confirmed result

The laboratory test confirmed:

- unauthorized upload through the SP Page Builder `asset.uploadCustomIcon` endpoint;
- creation of PHP and `.htaccess` artifacts under the Joomla media directory;
- server-side execution of the uploaded PHP artifact after an HTTP request;
- execution in the context of the Apache/PHP process user;
- outbound TCP connectivity from the Joomla container to the Windows host;
- an interactive reverse shell session as `www-data`;
- no confirmed privilege escalation to root.

Inside the container, the effective identity was:

```text
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```

The failed privilege-escalation attempt was visible as:

```text
cd root
bash: cd: root: Permission denied
su -
Password:
su: Authentication failure
```

## Key evidence

### Public PoC validation and upload behavior

The public PoC tested several extension variants and confirmed that a combination involving a mixed-case PHP extension and `.htaccess` could lead to execution in the laboratory setup.

![PoC upload and code execution](screenshots/01_poc_upload_and_code_execution.png)

### Code execution as the web server user

A controlled HTTP request executed `whoami`, and the browser displayed the effective process user.

![HTTP whoami result](screenshots/02_http_whoami_www_data.png)

### One-time TCP callback

Before the interactive test, a safer single-message callback was used to confirm outbound connectivity from the target environment to the Windows host on TCP port 4444.

![One-time TCP callback](screenshots/03_tcp_callback_ncat.png)

### Reverse shell session

The interactive session confirmed execution as `www-data`, Linux as the operating system, and a working directory under the Joomla SP Page Builder media path.

![Reverse shell session](screenshots/04_reverse_shell_session.png)

### Failed root access attempt

Attempts to access `/root` and authenticate with `su -` failed. The screenshot is redacted to avoid publishing the test password.

![Failed root access and su attempt](screenshots/05_root_access_and_su_failure_redacted.png)

## Reconstructed timeline

The complete timeline is available in both PDF reports. The most important events were:

| UTC | Event |
|---|---|
| 19:33:56 | Linux audit, tcpdump, Docker events, and file-change polling started |
| 19:34:23 | Series of POST requests to `/index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon` |
| 19:34:23.291 | GET to an uploaded `.PHP` file with a controlled arithmetic command |
| 19:34:23.329 | GET to an uploaded `.pHp` file with a controlled arithmetic command |
| 19:34:23.361 | GET to an uploaded `.Php` file with a controlled arithmetic command |
| 19:34:23.398 | GET to the final `.PHP` artifact with a controlled arithmetic command |
| 19:34:23.411 | The public PoC executed `id` through the uploaded PHP artifact and received HTTP 200 |
| 19:35:05 | Manual `whoami` request returned `www-data` |
| 19:35:27 | One-time TCP callback to `172.20.10.2:4444` succeeded |
| 19:35:59 | HTTP request initiated a reverse TCP connection to `172.20.10.2:4444` |
| 19:36:22-19:36:31 | `whoami`, `uname`, `id`, and `pwd` confirmed the execution context |
| 19:37:13 | `cd root` returned `Permission denied` |
| 19:37:21-19:37:28 | `su -` attempt failed with `Authentication failure` |
| 19:39:25 | Audit collection stopped and artifacts were packaged |

## Evidence collection methodology

### Linux and Docker

The victim host collected:

- `auditd` events for `execve`;
- packet capture using `tcpdump`;
- Docker container metadata, logs, events, process listings, and filesystem differences;
- periodic file-change polling from inside the container;
- file listings for the Joomla webroot, temporary directories, and relevant media paths;
- selected container state before and after the test.

The test also identified a monitoring limitation: because `/var/www/html` was backed by a Docker volume, `docker diff` did not show detailed file creation under `/var/www/html/media/com_sppagebuilder/assets/iconfont/`. File integrity monitoring should therefore cover the real host path backing the volume.

### Windows

The Windows host evidence was intentionally limited to report-relevant screenshots:

- public PoC output;
- browser output for `whoami`;
- Ncat output for the one-time callback;
- Ncat output for the reverse shell session;
- failed `/root` and `su -` attempt with the password redacted.

## Most important detection opportunities

### 1. Upload through SP Page Builder

Monitor HTTP, reverse-proxy, WAF, or network telemetry for the following combination:

```text
POST /index.php?option=com_sppagebuilder&task=asset.uploadCustomIcon
User-Agent contains: sppb-rce-poc
Status: 200, 201, or 204
```

In production, do not rely only on the public PoC User-Agent. The endpoint and unexpected upload pattern are more stable indicators than the User-Agent value.

### 2. Executable file or `.htaccess` under the SP Page Builder icon path

Monitor file telemetry for new or modified files matching:

```text
/media/com_sppagebuilder/assets/iconfont/*/fonts/*.php
/media/com_sppagebuilder/assets/iconfont/*/fonts/*.PHP
/media/com_sppagebuilder/assets/iconfont/*/fonts/*.pHp
/media/com_sppagebuilder/assets/iconfont/*/fonts/*.Php
/media/com_sppagebuilder/assets/iconfont/*/fonts/.htaccess
```

The presence of `.htaccess` containing `AddType application/x-httpd-php .PHP` in a media upload directory is a high-value indicator.

### 3. GET request to an uploaded PHP file with command parameters

Correlate upload activity with subsequent HTTP requests to paths like:

```text
/media/com_sppagebuilder/assets/iconfont/*/fonts/*
```

Higher confidence is reached when the request targets a PHP-like extension and includes parameters such as `t=` and `c=`.

### 4. Shell or interpreter activity from the web service account

High-value process indicators include:

```text
user: www-data, apache, or nginx
process: bash, sh, dash, or php
command line contains: /dev/tcp, bash -i, redirection operators, or unusual interpreter execution
```

### 5. Outbound connection from the web container

Alert when a shell or interpreter launched by the web server process initiates an outbound connection to a workstation or unusual destination port. The laboratory event used TCP port 4444, but production detection should not depend on a single port.

### 6. Failed privilege-escalation attempts after web execution

The test produced a failed `su -` attempt. Monitor for authentication helpers such as `unix_chkpwd`, writes to `/var/log/btmp`, and interactive commands following web-service account compromise.

## SOC triage guidance

When the HTTP upload indicator is detected, the SOC should immediately correlate it with:

- the source IP, user agent, and HTTP status;
- whether the target Joomla instance has SP Page Builder installed and whether the version is vulnerable;
- new directories under `/media/com_sppagebuilder/assets/iconfont/`;
- new PHP-like files or `.htaccess` files under Joomla media directories;
- HTTP GET requests to the newly created files shortly after upload;
- command-like query parameters such as `t=` and `c=`;
- process creation by the web server user, especially shell or interpreter processes;
- outbound connections from the web container or web service account;
- discovery commands such as `whoami`, `id`, `uname`, `hostname`, `pwd`, `ip`, `ifconfig`, `netstat`, or `ss`;
- authentication failures, credential access attempts, persistence, or lateral movement after initial execution.

A single upload event is not always sufficient on its own. The strongest alert combines upload, file creation, file access, process execution, and outbound network telemetry within the same short time window.

## Recommended mitigations

1. Update SP Page Builder to version 6.6.2 or newer.
2. Review `/media/com_sppagebuilder/assets/iconfont/` and the broader Joomla media directory for PHP-like files and `.htaccess` artifacts.
3. Remove any unexpected PHP, `.htaccess`, `.phtml`, `.phar`, archive, or executable artifacts from upload directories.
4. Disable PHP execution in upload and media directories at the Apache, Nginx, and PHP-FPM layer.
5. Restrict or alert on access to the `asset.uploadCustomIcon` endpoint from untrusted networks.
6. Monitor web service child processes and outbound connections from web containers.
7. Deploy FIM, eBPF, auditd, or EDR coverage for Docker volumes that contain the application webroot.
8. Do not rely on `docker diff` alone for webroot monitoring when application data is stored in Docker volumes or bind mounts.

## Scope and limitations

- The validation was performed against one Joomla 5 Docker instance with SP Page Builder installed.
- The observed impact was code execution as the web server process user `www-data`; privilege escalation to root was not confirmed.
- The result confirms the tested path and configuration. It does not prove that every deployment, reverse proxy, web server, PHP handler, or operating system behaves identically.
- Offensive exploit code, payload source, raw PCAP files, raw Docker evidence packages, and DOCX source files are not distributed in this repository.
- The reports contain selected evidence excerpts rather than full raw logs, to keep the material readable and focused on detection.

## References

- [NVD - CVE-2026-48908](https://nvd.nist.gov/vuln/detail/CVE-2026-48908)
- [CVE.org - CVE-2026-48908](https://vulners.com/cve/CVE-2026-48908)
- [CISA Known Exploited Vulnerabilities Catalog](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)
- [Public project used as the initial validation reference](https://github.com/papageo75/CVE-2026-48908-PoC)
- [JoomShaper SP Page Builder](https://www.joomshaper.com/page-builder)

## Responsible-use notice

This material is provided for defensive security research, vulnerability management, detection engineering, incident-response preparation, and authorized testing. Do not use it against systems without explicit permission.