Connect with us

Hi, what are you looking for?

Tech & Science

Millions of websites at risk of hacking from critical Joomla bug

Ars Technica reports that an update to Joomla was released on Thursday after the developers of the open-source CMS were alerted by a researcher at Trustwave Spiderlabs. Asaf Orpani discovered the bug was present in Joomla versions 3.2 to 3.4.4 and allowed him to “gain full administrative access to any vulnerable Joomla site.”
Joomla powers around 2.8 million websites, so exploiting the bug would be very attractive to hackers. The vulnerability was based around SQL-injection, a method which can allow outsiders to control a server’s behaviour by entering crafted commands into input fields on webpages.
For example, many websites display text boxes to their visitors that allow them to search for specific content. This input is then sent to the site’s database so only content matching the specified query is retrieved. However, if the user’s input is not sanitised correctly, then the database engine may interpret portions of the text as actual commands or executable code, giving an attacker the ability to access restricted resources, download data or log themselves in as an administrator.
The recently-discovered bug in Joomla made the last option possible. A hacker could use SQL-injection to extract a cookie ordinarily allocated to administrators to give them access to their site’s control panel.
With the cookie downloaded, the attacker could load it into their own web browser and obtain access to the Joomla management area, giving them full control of the website and the ability to lock other users out, add, edit and delete pages or tag malicious code into existing content. This could then carry out further attacks such as redirecting legitimate users to scam sites or forcing them to download malware.
Anyone with knowledge of SQL injection would find the attack simple to carry out. Orpani wrote “The road from our SQL injection to ‘game over’ is very short.” The Joomla team announced the release of a fix in a blog post on Thursday. They extended a “huge thank you” to Orpani for his responsible disclosure of his find and urged all site administrators to update their Joomla installations immediately.
The vulnerability was classed as “critical” and stemmed from Joomla’s core module, meaning it would have affected any sites based on the content management system even if extensions were deployed on top. The earliest version to be affected, 3.2, was released in November 2013.
Joomla describes itself as the “most popular and widely supported open source multilingual CMS platform in the world”, boasting support for over 64 languages and a simple and fast content creation process. It powers websites ranging from simple blogs to sophisticated e-commerce portals so the vulnerability had the potential to be devastating for its millions of users.

Written By

You may also like:


Locking down access to your core systems and ensuring fewer employees have access to them can help you protect the organization.


Thousands of Trump supporters gathered in Arizona on Saturday to hear a raft of speakers claim the 2020 US election was stolen.


Dozens of freight cars are broken into every day on LA's railways by thieves who take advantage of the trains' stops to loot packages...


About 200 million Americans now likely have access to a COVID-19 digital vaccine card.