Ars Technica reports that an update to Joomla was released on Thursday after the developers of the open-source CMS were alerted by a researcher at Trustwave Spiderlabs. Asaf Orpani discovered the bug was present in Joomla versions 3.2 to 3.4.4 and allowed him to “gain full administrative access to any vulnerable Joomla site.”
Joomla powers around 2.8 million websites, so exploiting the bug would be very attractive to hackers. The vulnerability was based around SQL-injection, a method which can allow outsiders to control a server’s behaviour by entering crafted commands into input fields on webpages.
For example, many websites display text boxes to their visitors that allow them to search for specific content. This input is then sent to the site’s database so only content matching the specified query is retrieved. However, if the user’s input is not sanitised correctly, then the database engine may interpret portions of the text as actual commands or executable code, giving an attacker the ability to access restricted resources, download data or log themselves in as an administrator.
The recently-discovered bug in Joomla made the last option possible. A hacker could use SQL-injection to extract a cookie ordinarily allocated to administrators to give them access to their site’s control panel.
With the cookie downloaded, the attacker could load it into their own web browser and obtain access to the Joomla management area, giving them full control of the website and the ability to lock other users out, add, edit and delete pages or tag malicious code into existing content. This could then carry out further attacks such as redirecting legitimate users to scam sites or forcing them to download malware.
Anyone with knowledge of SQL injection would find the attack simple to carry out. Orpani wrote “The road from our SQL injection to ‘game over’ is very short.” The Joomla team announced the release of a fix in a blog post on Thursday. They extended a “huge thank you” to Orpani for his responsible disclosure of his find and urged all site administrators to update their Joomla installations immediately.
The vulnerability was classed as “critical” and stemmed from Joomla’s core module, meaning it would have affected any sites based on the content management system even if extensions were deployed on top. The earliest version to be affected, 3.2, was released in November 2013.
Joomla describes itself as the “most popular and widely supported open source multilingual CMS platform in the world”, boasting support for over 64 languages and a simple and fast content creation process. It powers websites ranging from simple blogs to sophisticated e-commerce portals so the vulnerability had the potential to be devastating for its millions of users.