2.8 million websites vulnerable to critical Joomla SQL injection bug

Anyone using the Joomla CMS for your website, please update your installation right away. Asaf Orpani, a researcher from Trustwave Spiderlabs, has uncovered a serious SQL injection vulnerability in the widely-used software, endangering an estimated 2.8 million websites.

The vulnerability affects all Joomla setups from version 3.2 up to 3.4.4. The flaw is a combination of three separate issues (identified by CVE numbers CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858) and is present in a core module, affecting even barebones installations without any plug-ins.

Here's how the vulnerability works. An attacker can inject bad data in a request to a Joomla page, which will then return a complete database error description that includes table names, fields, and values (repeat after me, folks: I shall not leave debugging information in production code).

One of the exposed parameters is the site administrator's identifier (ID) for his session on the administration interface. Once the attacker is in possession of that ID, he can simply put it that into an appropriately-named cookie in his web browser, and calmly start browsing the target website as an administrator, whistling and dancing all the way. Proof-of-concept exploit code has already been added to the Metasploit framework.

Tip: You can use the A/Z keys to walk threads.
View options

This discussion is now closed.