Joomla releases patch for serious SQLi flaw

The secure version is 3.4.5

Joomla, a popular content management system, released patches on Thursday for a vulnerability that can allow an attacker to get full administrative access to a website.

Joomla versions 3.2 through 3.4.4 are vulnerable, and the latest version is 3.4.5.

The SQL injection flaw was found by Asaf Orphani, a researcher with Trustwave's SpiderLabs, and Netanel Rubin of PerimeterX.

SQL injection flaws occur when a backend database executes a malicious query when it shouldn't. The type of vulnerability is one of the most prevalent ones within web applications.

In the case of Joomla, Orpani found he could extract a session ID for Joomla's database.

"By pasting the session ID we've extracted -- that of an administrator in this case -- to the cookie section in the request to access the /administrator/ folder, we're granted administrator privileges and access to the administrator Control Panel," he wrote in a blog post.

Since Joomla can also accommodate shopping cart such as VirtueMart, e-commerce sites are also vulnerable to being exploited, Orphani wrote.

Join the newsletter!

Or
Error: Please check your email address.
CSO WANTED
Have an opinion on security? Want to have your articles published on CSO? Please contact CSO Content Manager for our guidelines.

More about Trustwave

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

More videos

Blog Posts