Joomla security patch released for zero day vulnerability


The popular content management system Joomla has been the centre of many security vulnerabilities in recent months, one of which is the zero-day SQL injection vulnerability that poses a critical risk to Joomla based websites. Security patches have recently been released that mitigate this zero-day vulnerability and Joomla web masters are highly encouraged to update their Joomla installations to the most recent version in order to combat this widely known vulnerability.

The SQL injection vulnerability identified in Joomla installs allows attackers to extract data from the databases of Joomla based websites if not appropriately patched. However, recent versions 3.2.3 and 2.5.19 of the Joomla content management system address the SQL injection vulnerability, as well as an unauthorised log-in vulnerability in a G-mail authentication plug in. As well as addressing these publically disclosed exploits, the released updates also address multi cross-site scripting vulnerabilities identified in core components.

The zero-day vulnerability identified in February works by exploiting the weblinks-categories id parameter, and allows attackers to inject SQL code directly into any Joomla based website working on multiple version numbers. Security firm Sucuri have identified this vulnerability as the same as a similar vulnerability published on exploit-db, a popular website for listing vulnerabilities. Sucuri went on to state that taking a month to patch a critical level exploit such as this is shocking and has left many web publishers vulnerable for an unnecessary length of time.

Joomla CMS has become the most frequently attacked platform due to out of date versions.

Joomla CMS has become the most frequently attacked platform due to out of date versions left unpatched.

Attackers are able to exploit this zero day vulnerability on sites that utilise the Similar Tags module. This module is activated by default with Joomla installations, meaning that a large proportion of websites installed using the default installation will be vulnerable to this. Security researches went on to state that this vulnerability did not allow injection of code specifically, however, allowed an attacker to manipulate SELECT calls, effectively allowing extraction of any data from databases. This would allow an attacker to extract anything from intellectual property to usernames, ID’s and passwords.

Although there has been limited reporting of this vulnerability being executed, security firms have confirmed they have seen attackers apparently querying sites looking for the mod_tags_similar module, the first stage of performing an attack such as this. Once an attacker has confirmed the use of this module on the site, they would then be able to execute SQL SELECT commands to extract data from websites utilising the Joomla content management system. The worrying part is that web masters may not be aware that their data has been compromised, without effective monitoring of web activity.

The updates also fixed bugs in the G-mail authentication plug in, which security researches say could have equally devastating consequences if not effectively managed. This plug in would allow administrators to authenticate to Joomla based websites using Gmail credentials rather than the Joomla username and password. However, as the plug in was never verified, security researches discovered that registering Gmail accounts with the same username as the super admin would allow attackers to log in with the same credentials.

With these and many other security flaws discovered in Joomla and other content management systems regularly, attackers are starting to see this as an attractive target. Security firm Sucuri have even stated that the most frequently attacked platform is Joomla, due to the high number of web masters that are using this CMS without upgrading, or even patching, regularly.

About Lee Hazell

Lee Hazell is a cyber security consultant with a keen interest in anything tech or security related. Follow Lee on .

Leave a Reply

Your email address will not be published. Required fields are marked *