Joomla 3.7 exposed to easily exploitable bug, WordPress patches too
- 18 May, 2017 04:43
WordPress has released an update to the CMS software to plug six security holes, but there’s a more urgent update for Joomla CMS users.
Joomla developers on Wednesday released Joomla! 3.7.1, which fixes several flaws, including a critical SQL injection flaw affecting Joomla! 3.7. Joomla has rated the bug critical and is urging users to update their sites immediately or risk attackers spilling passwords and hijacking the vulnerable site.
The SQL injection flaw was discovered by security firm Sucuri, which traced the problem to a publicly accessible component called com_fields. Joomla introduced it in 3.7 as time-saving feature that mirrors some views from the administrative-side of com_fields, allowing developers to reuse code from one side on the other. Sucuri found Joomla’s way of handling SQL queries didn’t properly sanitize user input.
“In order to exploit this vulnerability, all an attacker has to do is to add the proper parameters to the URL in order to inject nested SQL queries,” notes Sucuri researcher Marc-Alexandre Montpas.
Full details of the flaw can be found here.
According to Montpas, the bug is easy to exploit and doesn’t require a privileged account on the victim’s site, meaning anyone who visits the site to can exploit it allowing them to leak password hashes or hijack a logged-in user’s or an administrator’s session. In the latter case, this would result in a full site compromise.
Joomla is the second most widely used CMS behind WordPress. According to Sucuri's Q3 2016 hacked website report some 84 percent of Joomla sites were running an outdated version at the time of infection.
WordPress has also patched six flaws in the WordPress 4.7.5 security and maintenance release, which developers are recommending users update to immediately.
The update fixes two cross-site scripting flaws, and a cross-site request forgery flaw in the filesystem credentials dialogue that allowed an attacker to fool a WordPress admin to log into the attacker’s FTP or SSH server and give up their credentials.
Sites with automatic updates should already have received the update, while other users can manually update.