Anyone using the Joomla CMS for your website, please update your installation right away. Asaf Orpani, a researcher from Trustwave Spiderlabs, has uncovered a serious SQL injection vulnerability in the widely-used software, endangering an estimated 2.8 million websites.
The vulnerability affects all Joomla setups from version 3.2 up to 3.4.4. The flaw is a combination of three separate issues (identified by CVE numbers CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858) and is present in a core module, affecting even barebones installations without any plug-ins.
Here's how the vulnerability works. An attacker can inject bad data in a request to a Joomla page, which will then return a complete database error description that includes table names, fields, and values (repeat after me, folks: I shall not leave debugging information in production code).
One of the exposed parameters is the site administrator's identifier (ID) for his session on the administration interface. Once the attacker is in possession of that ID, he can simply put it that into an appropriately-named cookie in his web browser, and calmly start browsing the target website as an administrator, whistling and dancing all the way. Proof-of-concept exploit code has already been added to the Metasploit framework.
|1. BIF - $340||2. Ryu Connor - $250||3. mbutrovich - $250|
|4. YetAnotherGeek2 - $200||5. End User - $150||6. Captain Ned - $100|
|7. Anonymous Gerbil - $100||8. Bill Door - $100||9. ericfulmer - $100|
|10. dkanter - $100|
|Nvidia's GeForce GTX 1060 graphics card reviewed||60|
|In the lab: EVGA's GeForce GTX 1050 Ti Superclocked graphics card||8|
|iPhone sales continue to shrivel in Apple's fiscal fourth quarter||16|
|Leaked MacBook Pro pics suggest OLED touch bar and Touch ID||16|
|Eizo FlexScan EV7280 monitor cuts cable clutter||6|
|Xiaomi reveals Mi Mix phone with a 6.4" edgeless display||32|
|Zotac and Thermaltake join forces for a liquid-cooled GTX 1080||4|
|Zotac Magnus EN1080 may be the fastest mini-PC yet||17|
|Seagate 5TB BarraCuda and 2TB FireCuda drives are big and speedy||38|
|Signing your posts is daftly redundant. Meadows||+29|