Millions of websites including e-commerce stores, blogs and other sensitive areas of the internet are vulnerable to a remote take-over attack made possible by a critical SQL-injection vulnerability that has been plaguing the open-source Content Management System (CMS) Joomla since as early as 2013.
The severe SQL-injection vulnerability was patched early Thursday, with the company’s latest release of the CMS at version 3.4.5. The vulnerability allows attackers to execute malicious code on servers running Joomla, and first came to light in version 3.2, which was released in early November 2013. As of today, the Joomla CMS is estimated to be running on over 2.8 million active websites.
“Because the vulnerability is found in a core module that doesn’t require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable,” Asaf Orpani, a researcher at Trustwave’s Spiderlabs, wrote in a blog post published Thursday. The vulnerability, alongside two closely related vulnerabilities, have been labeled as CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858.
SQL-injection vulnerabilities can be severe, allowing for end users to execute commands on a website’s backend database by entering specially crafted text in search boxes or other methods of input fields found on the desired webpage. These types of vulnerabilities are routinely exploited and are the result of an insecure Web application failing to enforce that incoming data be treated as plaintext rather than executable code. These type of attacks often make it possible for hackers to steal large amounts of confidential information stored on vulnerable web servers.
The flaw, disclosed by Orpani, exposes a session ID containing a browser cookie that is assigned to administrator accounts. Hackers are able to exploit the vulnerability, hijacking the cookie which they can then later load it into their browsers. At which point, they have the ability to access administrator-only content on the server. Working code exploiting the Joomla vulnerability has already been added to the Metaploit framework, a popular tool largely used by hackers and penetration testers.
“By pasting the session ID we’ve extracted—that of an administrator in this case—to the cookie section in the request to access the /administrator/ folder, we’re granted administrator privileges and access to the administrator Control Panel,” Orpani explained in his blog post.
If you operate or manage a Joomla site and haven’t yet updated to Thursday’s patched, we recommend you do so immediately.