Joomla – one of the most popular open source Content Management System (CMS) software packages, has reportedly patched three critical vulnerabilities in its software.
The flaws, exist in the Joomla version 3.2 to 3.4.4, include SQL injection vulnerabilities that could allow hackers to take admin privileges on most customer websites.
The patch was an upgrade to Joomla version 3.4.5 and only contained security fixes.
The vulnerability, discovered by Trustwave SpiderLabs researcher Asaf Orpani and Netanel Rubin of PerimeterX, could be exploited to attack a website with SQL injections.
SQL injection (SQLi) is an injection attack wherein a bad actor can inject/insert malicious SQL commands/query (malicious payloads) through the input data from the client to the application.
The vulnerability is one of the oldest, most powerful and most dangerous flaw that could affect any website or web application that uses an SQL-based database.
The recent SQLi in Joomla discovered by Orpani are:
CVE-2015-7857 enables an unauthorized remote attacker to gain administrator privileges by hijacking the admin session. Once exploited, the attacker may gain full control of the website and execute additional attacks.
The vulnerability discovered in a core module that doesn’t require any extensions, therefore, all the websites that use Joomla versions 3.2 (released in November 2013) and above are vulnerable.
Researchers also discovered the related vulnerabilities, CVE-2015-7858 and CVE-2015-7297, as part of their research.
Actually the Joomla code resided in /administrator /components /com_contenthistory/ models/history.php was vulnerable to SQL injection.
Orpani came across many weak links in this code, that could:
- Exploit the vulnerability to gain the administrator session key
- On executing the request on Joomla site returns the admin session key
- Using the admin key to hijack the session and further gaining:
- Access to the /administrator/ folder
- Administrator privileges
- Access to the administrator Control Panel
Vulnerability in DRUPAL
The popular CMS Drupal has also patched an Open Redirect vulnerability in the Overlay module in its Core project (7.x versions prior to 7.41).
The Overlay module in Drupal core project displays administrative pages as a layer on the current page, rather than replacing the page in the browser window.
However, the module doesn’t sufficiently validate URLs prior to displaying their contents, which leads to an open redirect vulnerability, according to Drupal’s official blog.
The vulnerability affected the site users with administrative rights; i.e. if only the “Access the administrative overlay” permission is enabled the vulnerability could be exploited.
The fix for the open redirect vulnerability was released and required the sites to upgrade to Drupal version 7.41.
If you were not aware of these vulnerabilities, do not panic you can patch your CMS now!