The Joomla team just released a new Joomla version (3.4.5) to fix some serious security vulnerabilities. The most critical one is a remote and unauthenticated SQL injection on the com_contenthistory module (included by default) that allows for a full take over of the vulnerable site.
Directly from the Joomla announcement:Joomla! 3.4.5 is now available. This is a security release for the 3.x series of Joomla which addresses a critical security vulnerability. We strongly recommend that you update your sites immediately. This release only contains the security fixes; no other changes have been made compared to the Joomla 3.4.4 release.{loadposition ads}
Technical Details
This vulnerability was discovered by the TrustWave team and they published a very good document explaining it in detail. We highly recommend reading it to understand the scope and how it can be exploited: Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access.
Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.
CVE-2015-7297, CVE-2015-7857, and CVE-2015-7858 cover the SQL injection vulnerability and various mutations related to it.
CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.
- The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4.
- Because the vulnerability is found in a core module that doesn’t require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.
- Asaf also uncovered the related vulnerabilities CVE-2015-7858 and CVE-2015-7297 as part of his research.
Due to the easy exploitation of this vulnerability and popularity of Joomla, we expect to see attacks in the wild very very soon with a massive number of sites hacked.
We recommend looking at your web logs to try to find signs of this attack. If you search for “option=com_contenthistory&view=history” you should be able to find possible attacks against your site. Note that blocking these requests only via GET requests are not enough, since they can also happen via POST. Joomla uses the PHP $_REQUEST, so both POST and GET will go through.
We recommend to all users to update to latest version and harden the Joomla setup / Joomla installed on your server. If you are a hosting provider and installed Softaculous, from the cPanel you can directly upgrade Joomla installation.
Recommended Steps
- Change the default administrator username
- Protect directories and files – Project administrator directory with .htaccess protection. For details on protection implementation click here
- Disable Unneeded Functions & Classes e.g. : eval(), system(), show_source, system, shell_exec, passthru, exec, phpinfo, proc_open, popen, eval, and highlight_file
- Turn off display_errors from PHP.ini
- Limit Administrator Panel Access by allowing only trusted set of IP addresses
- Configure open_basedir from PHP.ini
- Disable file upload, if reqruied. Webmaster can uploads the files using FTP.
- Disable Remote Includes from PHP.ini