Joomla Account Creation Vulnerability

The Joomla team released a patch for a serious security vulnerability affecting all Joomla versions from 3.4.4 and up. If you’re using one of these versions of Joomla, you’re encouraged to update immediately.

The vulnerability has a high severity as it allows anyone to create a user remotely and specify the desired group permission to it, including administrator. Two CVE’s were assigned to these vulnerabilities: CVE-2016-8870 and CVE-2016-8869. We highly recommend that everyone apply these patches ASAP.

Sucuri Firewall Virtual Patching

As soon as we learned about this issue, our vulnerability research team (led by Marc MontPas) went on to reverse-engineer the patch and find out how it can be exploited in order to protect our users. We found out that it is present on an old controller used for backwards compatibility. We were able to create a virtual patching signature and push it live to all of our users within minutes.

The good news now is that if you have your site behind our Sucuri Firewall you are protected against this issue.

We also took some time to go back to our log data to see if this attack was ever used in the wild. So far, we didn’t find a single exploit attempt of it. This will likely change, as the attackers will also try to reverse the patch to find out how they can leverage it to create admin users on Joomla sites in order to compromise them for malware distribution, phishing, DDoS, and more. If your website has been compromised you can follow our free guide to fix hacked Joomla sites.

  1. Any idea as to what kind of HTTP request we might find/expect in our server logs that are exploiting this? Only HTTP POST or also GET requests that we can block?

  2. Sharing some information about possible malicious URI or POST content, would be useful, for people trying also to protect themselfs with virtual patch from this vuln.

Comments are closed.

You May Also Like