Serious Concern About SP Page Builder 6 Security Status - We FIXED IT - Question | JoomShaper

Serious Concern About SP Page Builder 6 Security Status - We FIXED IT

AGON PARTNERS INNOVATION AG

AGON PARTNERS INNOVATION AG

SP Page Builder 4 hours ago

Dear JoomShaper team,

We are very worried about the current security status of SP Page Builder 6 and the related template/framework stack.

We have trusted SP Page Builder for many years and use it across many customer websites. After the recent uploadCustomIcon security issue, we still had to review, clean, protect, and harden several hundred websites.

In our tests, the latest SP Page Builder version available to us does not fully solve the underlying issue. The access-control situation may have improved, but the upload and archive-handling logic still needs stronger hardening.

We already have OWASP-based WAF rules, proxy protection, and additional server-side security in place. However, these are only compensating controls. The component itself must safely handle uploads, ZIP extraction, file validation, and copying into public media directories.

Because we cannot wait for a final upstream fix while customer sites remain at risk, we created a temporary hardening package.

What we created

We created a proper Joomla installer package and a separate restore/deinstaller package for the SP Page Builder 6 uploadCustomIcon hardening.

The package adds additional protection for ZIP validation, unsafe file rejection, path traversal checks, executable file blocking, safer extraction, sanitized names, allow-listed copying, and public media-folder protection.

The goal is not to replace an official JoomShaper fix. This is an emergency hardening overlay to protect live customer websites now.

Compatibility

The package is intended for SP Page Builder 6.x installations.

Joomla compatibility information, installer details, restore/deinstaller details, and usage notes are documented in the repositories.

Main hardening package: https://github.com/konzeptplus-gmbh/SPPB-Upload-Custom-Icon-Hardening

Restore / deinstaller package: https://github.com/konzeptplus-gmbh/SPPB-Upload-Custom-Icon-Hardening-Restore

Request to JoomShaper

We ask JoomShaper to review this issue with urgency and provide a fully reviewed upstream fix, not only a compensating access-control change.

We also ask for a clear public security statement, cleanup guidance for already-compromised sites, and a changelog that clearly states which SP Page Builder and related framework/template versions are safe.

We are willing to share details from our hardening work so this can be solved properly in the official product.

Best regards, Agon Partners Innovation AG former Konzeptplus GmbH

0
1 Answers
Mehtaz Afsana Borsha
Mehtaz Afsana Borsha
Accepted Answer
Support Agent 1 hour ago #228860

Hello,

Thank you for taking the time to document your findings and for sharing the hardening and restore packages with us.

We understand the seriousness of your concerns, particularly given the number of customer websites you manage and the work required to review and secure them following the reported uploadCustomIcon issue.

We have forwarded the information, including both GitHub repositories, to our development teams for further technical review. Since these are third-party modifications, we cannot officially recommend or endorse installing them until the code and its compatibility implications have been fully assessed.

For security reasons, we also recommend avoiding the publication of detailed exploit information or sensitive technical findings in the public forum. Any additional evidence, reproduction steps, affected files, logs, or proof-of-concept details should be submitted through our hidden content box, so our team can investigate them securely.

In the meantime, you should keep SP Page Builder, Joomla, templates, and extensions updated, maintain verified backups, review their websites for unauthorized files or administrator accounts, and follow official JoomShaper security announcements.

We appreciate your willingness to cooperate and share your work. Our team will review the underlying upload, archive extraction, validation, and file-handling concerns you have raised. Any confirmed fixes, affected-version information, or further security guidance will be communicated through our official channels.

Thank you again for reporting this responsibly.

-Best regards.

0