All websites based on Joomla 3.2 or later are vulnerable to a serious bug SQL-injection, corrected by the company with a patch released last Thursday to be installed immediately.
Millions of websites used for e-commerce or other sensitive areas may be at risk for hack off a critical vulnerability in the Joomla CMS. The bug would allow the take-over of the server and would appear on the system of content management for almost two years.
The vulnerability ” SQL-injection ” was nonetheless, removed last Thursday with the release of version 3.4.5, and all operators of websites based on Joomla, could take care to upgrade.
The bug allows an attacker to run malicious code on servers that use Joomla, and was introduced in the version 3.2 released in November 2013. It is estimated that approximately 2.8 million websites that use this CMS, and all are attacked unless you upgrade to the new version: ” Whereas the vulnerability was found in a module that does not require any essential extension, all sites using Joomla 3.2 and earlier are vulnerable ” wrote Asaf Orpani, security researcher.
Vulnerabilities ” SQL-injection ” allow the remote execution of commands potentially fatal to a database of a website, by entering specific text input fields or search integrated into the web pages. Flaws of this type are among the most popular and widely used to compromise the Internet pages, and are usually possible by the infrastructure which manages the input text itself which, as in this case, is not treated as plain text and can run remote commands, even dangerous.
In this way, an attacker may come into possession of confidential files among those stored in the server, or other sensitive information contained in the database. In the specific case discovered by Orpani, the bug can expose the data of the ID administrator session.
Once in possession of the information, the attacker simply needs to insert a cookie in the browser specifically designed with the same data in order to gain access to parts also extremely sensitive server.
” By pasting the session ID cookie that we extracted section, we got administrative privileges and access to the Control Panel, ” he wrote Orpani blog. Given the extent of the potential damage you can do with the exploits of the bug, all administrators of websites based on Joomla should install as soon as the patch released Thursday.