The Joomla team just released a new Joomla version (3.4.5) to fix some serious security vulnerabilities. The most critical one is a remote and unauthenticated SQL injection on the com_contenthistory module (included by default) that allows for a full take over of the vulnerable site.
Update October 26, 2015: We posted a follow up looking at the prevalence of Joomla SQL injection attacks in the wild less than 24 hours after this disclosure.
Directly from the Joomla announcement:
Joomla! 3.4.5 is now available. This is a security release for the 3.x series of Joomla which addresses a critical security vulnerability. We strongly recommend that you update your sites immediately. This release only contains the security fixes; no other changes have been made compared to the Joomla 3.4.4 release.
If you are a Joomla user, you have to patch your site now! If your site is behind our Website Firewall (CloudProxy) you were already protected even before the disclosure via the Virtual Hardening / Patching engine, which focuses on generic SQLi attack vectors.
Technical Details
This vulnerability was discovered by the TrustWave team and they published a very good document explaining it in detail. We highly recommend reading it to understand the scope and how it can be exploited: Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access.
Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.
CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.
CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.
- The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4.
- Because the vulnerability is found in a core module that doesn’t require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.
- Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research.
Due to the easy exploitation of this vulnerability and popularity of Joomla, we expect to see attacks in the wild very very soon with a massive number of sites hacked.
We recommend looking at your web logs to try to find signs of this attack. If you search for “option=com_contenthistory&view=history” you should be able to find possible attacks against your site. Note that blocking these requests only via GET requests are not enough, since they can also happen via POST. Joomla uses the PHP $_REQUEST, so both POST and GET will go through.
If you are using Joomla, patch it now!
Victor Santoyo
Alycia Mitchell
Daniel Cid
Marc-Alexandre Montpas
Rianna MacLeod
Yuliyan Tsvetkov
1 comment
We are a not-for-profit volunteer organisation, Our site was running Joomla 3 x and over the last 5 days we were targeted with the sql injection attack, taking over my superuser permissions. The first thing I checked was if an update would fix the problem, but was not aware I had to clear the cache before the update would show up. I noticed the hackers gave full permissions to one of the usergroups. They also changed the setting for “Allow User Registration” to “ON”. I found I was the “author” of all the changes! Once I created for myself a new superuser, I deleted my old superuser account and this seemed to stop the intrusion long enough to google sql injection and find your warnings. So thank you. I have one question, although I have run the patch now, because we have already been targeted should I have deleted all the folders and copied across a full replacement of all folders?
Comments are closed.