Joomla Closes Very Dangerous SQL Injection Vulnerability

CMS builder Joomla has patched three security vulnerabilities, including a very critical vulnerability that allows sql injection. The sql issue is in versions 3.2 through 3.4.4 and was discovered by Trustwave SpiderLabs. The patch slightly increases the version number to 3.4.5.

Trustwave’s researchers were able to gain full access to every vulnerable Joomla site, Trustwave writes on its blog. Joomla held 6.6 percent of the website cms market on October 20, according to W3Techs, which would mean that some 2.8 million websites run on the cms. The patch to Joomla 3.4.5 can be downloaded from the Joomla site. Besides the three security updates, nothing has changed in the code of the cms.

In the run-up to the patch, Joomla already indicated on October 16 that a very important patch would be released on October 22, so most administrators of servers that Joomla runs on will already be aware of the arrival of the patch. Further details were not released at the time.

The problem in Joomla is due to not enough filtering of data that is requested. In addition to the sql issues, two other bugs have been fixed in the com_contenthistory and com_content functions that allow attackers to access data that should normally only be visible to users with appropriate permissions. The com_content vulnerability is in Joomla versions 3.0 through 3.4.4 instead of 3.2 through 3.4.4.

The sql vulnerability is in /administrator/components/com_contenthistory/models/history.php. Doing a sql injection then shows an error page. The error report at the bottom of the page contains a session ID. After pasting the session id in the cookie section in the request to enter the /administrator/ directory, administrator rights are granted and access to the admin-control panel is obtained. A detailed description of the entire hack is on the Trustwave blog.