URGENT - Joomla Security Notice :: December 15, 2015

Jason · December 15, 2015, 01:01:06 PM

Joomla sent out a new security warning today. This was has been in the media already as a big vulnerability that requires immediate addressing by anyone using Joomla:

http://news.softpedia.com/news/joomla-3-4-6-fixes-zero-day-remote-execution-bug-used-in-the-wild-497599.shtml

Quote
The Joomla security team has fixed a highly critical zero-day bug, which appears to have already been used in the wild to compromise and take over Joomla sites.

Just two hours ago, the Joomla security team released version 3.4.6, along with security patches for older versions of the CMS, even if some of them reached EoL (End of Life) and were not officially supported anymore.
Remote code execution flaw via the user agent string

The reason behind this out-of-the-ordinary security release is a critical zero-day bug that allows attackers to insert code into the Joomla database and later execute it.

The entry point for the malicious code is the user agent string, which is advertised by each site visitor's browser to let websites know the user's technical makeup and deliver the best or the most appropriate version of the site.

Apparently, this string is stored in the Joomla database, but not properly sanitized to detect malicious code.

With the help of special applications and scripts that can broadcast fake user agent strings, attackers can very easily craft a custom string and append malicious code to it.

From Joomla's Security Mail Service:

Quote
[20151201] - Core - Remote Code Execution Vulnerability

Posted: 14 Dec 2015 11:00 AM PST
-Project: Joomla!
-SubProject: CMS
-Severity: High
-Versions: 1.5.0 through 3.4.5
-Exploit type: Remote Code Execution
-Reported Date: 2015-December-13
-Fixed Date: 2015-December-14
-CVE Numbers: CVE-2015-8562

Description
Browser information is not filtered properly while saving the session values into the database which leads to a Remote Code Execution vulnerability.
Affected Installs
Joomla! CMS versions 1.5.0 through 3.4.5
Solution
Upgrade to version 3.4.6
Contact
The JSST at the Joomla! Security Centre.
Reported By: Uwe Flottemensch

If you are using Joomla on your account, I urge you to upgrade asap.

Regards,
Jason

Jason · December 22, 2015, 10:09:19 AM

Please note that the version they patched/released above has a vulnerability as well.

A new warning was sent by Joomla on 12/22/2015:

Quote
[20151207] - Core - SQL Injection
Posted: 21 Dec 2015 05:24 PM PST

-Project: Joomla!
-SubProject: CMS
-Severity: Low
-Versions: 3.0.0 through 3.4.6
-Exploit type: SQL Injection
-Reported Date: 2015-December-15
-Fixed Date: 2015-Decemer-21
-CVE Numbers: requested

Description
Inadequate filtering of request data leads to a SQL Injection vulnerability.

Affected Installs
Joomla! CMS versions 3.0.0 through 3.4.6

Solution
Upgrade to version 3.4.7