The Joomla Project released version 3.6.5 of the Joomla CMS that addresses three security bugs, of which one can allow attackers to take over vulnerable sites.
If this wasn’t bad enough, this vulnerability, tracked as CVE-2016-9838, affects all Joomla versions released in the past five years.
More accurately, CVE-2016-9838 affects all sites running Joomla 1.6.0 and up to 3.6.4. Updating to Joomla 3.6.5 is a must in these conditions, as webmasters could find their sites part of SEO spam or DDoS botnets.
CVE-2016-9838 allows attackers to change usernames and passwords
The Joomla Project categorizes this security issue as “high severity” and describes it as a problem with the session on a form validation failure event.
Joomla devs say that an attacker can leverage a lack of data filtering to upload and execute malicious code that can change details of existing accounts.
Attackers can alter usernames, reset account passwords, and change user group assignments. A skilled coder can use this flaw to create his own admin account on the site, with his own desired password.
Joomla 3.6.5, released yesterday, also fixes other security issues, a shell upload vulnerability, and an information disclosure bug, but these two are marked as “low priority.”
Joomla 3.6.5, available for download from here, also hardens the CMS’ source code with extra security features.
Massive Internet-wide scans to follow
Users should upload ASAP. In late October, after the Joomla Project released version 3.6.4, attackers were already scanning the web for vulnerable websites.
At the time, Daniel Cid, Sucuri Founder and CTO, said that after less than a week, “any Joomla! site that has not been updated is most likely already compromised.”
The flaws discovered at the end of October and patched in version 3.6.4, also allowed attackers to register accounts and elevate themselves to the admin user group, similarly to the flaws patched in version 3.6.5.
Similar exploitation attempts took place last year, in December 2015, when attackers were launching more than 16,600 attacks per day against a recently-patched Joomla zero-day.
It’s very likely that attackers will weaponize CVE-2016-9838 and attempt to hijack as many sites as possible before users get a chance to update them.