The Joomla team just released two security updates and pushed out the stable versions for Joomla 2.5.19 and 3.2.3. If you run your site on Joomla, you need to update and apply these patches ASAP to ensure that your site continues to run securely.
If you are behind our CloudProxy Firewall, we will virtually patch these for you so you’re protected even if you do not upgrade. The Joomla website has more details on the security updates.
Issues Fixed
On Joomla 2.5.19, these two issues were listed fixed:
Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core XSS Vulnerability More information
But on Joomla 3.2.3, the following issues were fixed:
High Priority – Core SQL Injection More information
Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core XSS Vulnerability More information
Medium Priority – Core Unauthorised Logins More information
As you can see, there are some high priority SQL injection vulnerabilities along with some unauthorized login vulnerabilities in their Gmail login module (disabled by default).
The SQL injection seems to be related to an exploit released almost a month ago on the weblinks-categories id that was not escaped properly, and seems very easy to exploit.
Our team is still investigating the impact of this one and other vulnerabilities, and we will post more details as we identify them.
Northon Torga
Cesar Anjos
Joseph Herbrandson
Juliana Lewis
David Dede