Joomla on Thursday released a new version of its content management system, 3,4,5, that addresses a critical SQL injection vulnerability that could have let attackers gain access to data in the backend of any site running on the platform.
The bug existed in versions 3.2 to 4.4.4 of the CMS, and would have to be combined with two other vulnerabilities to carry out an attack, experts warned Thursday.
Boasting nearly three million active installs, Joomla is quietly popular, second – albeit a very distant second – behind WordPress when it comes to popular content management systems.
Asaf Orpani, a researcher with Trustwave’s Spiderlabs, discovered all three bugs, and warns that an attacker could hijack the administrator session, exploit the main vulnerability, and from there, gain access to the site, opening it up to future attacks.
Since the bug exists in Joomla’s core module, Trustwave is warning that any site that runs it, including various e-commerce sites, could be vulnerable.
Orpani claims that code from a PHP file in Joomla’s Adminstrator folder is at the crux of the issue, and vulnerable to the SQL injection, and by exploiting it, an attacker can glean a session key. By taking that and pasting it to the cookie section in the request to access the admin folder, an attacker is granted administrator privileges. Orpani writes in a description of the bug.
“Pasting the session ID we’ve extracted (which happens to be of an Administrator in our case) to the cookie section in the GET request allows us to access the /administrator/ folder,” Orpani writes, “We’ve also been granted administrator privileges and access to the administrator panel and a view of the control panel. And that’s it—we’ve compromised the website!”
The update also addresses two sets of inadequate ACL checks, according to advisories on Joomla’s Developer Network. Those could have provided potential read access to data that should be access restricted in versions 3.2.0 through 3.4.4, and 3.0 through 3.4.4 of the CMS, respectively.
It was a quick turnaround for Joomla, which fixed the issue in eight days. While Orpani began looking into the bug in August, it wasn’t until Oct. 12, when he had produced a fully realized proof of concept. Several days later, after other Spiderlabs researchers helped verify the bug, Trustwave informed Joomla of the issue.
Last year it took more than a month for Joomla to fix another SQL injection, when it was brought to the company’s attention by researchers at Sucuri.