14 DAY TRIAL // Joomla content management system (CMS) 3.x received a fix against two security vulnerabilities, one of them being of particular importance as it can lead to full compromise of the website.
The developers of the platform announced on Tuesday that a remote file inclusion (RFI) risk was removed from the latest versions of Joomla. They say that the issue was possible because of inadequate checking, which would allow an attacker to run remote files.
Full site compromise risk looming
Disclosed to Akeeba and Joomla developers, the issue consists in the fact that data can be extracted remotely, if specific conditions are met, such as running the attack during the extraction of a backup file or the installation of an update.
A number of four conditions have to occur at the same time for a successful attack. These are: a host with URL fopen() wrappers, a host which allows direct file writes, advanced knowledge of PHP for crafting the malicious message, and running the attack while a backup archive or update package is extracted (between five and 90 seconds).
Akeeba team says that a malicious actor with advanced knowledge could create “a special command message which would cause restore.php to extract a remotely stored archive to your site.” This could be leveraged for targeted attacks.
Given that exploitability is limited to knowledgeable attackers who have to act at a certain time, Joomla marks the severity of the vulnerability as “moderate;” however, according to OWASP risk assessment methodology, the risk is high.
The glitch affects Joomla 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4. It is advised to apply the update that fixes this issue as soon as possible in order to eliminate the possibility of compromise.
Users advised to delay patching another glitch and wait for second update
A second vulnerability has been addressed in Joomla, one that allowed conducting denial-of-service attacks. The severity awarded by the developers is low.
After initially releasing the update on Tuesday, the CMS developers informed users that a new one would become available and that applying the initial patch should be delayed.
However, in a post on Facebook, they said that all users who have already implemented the fix are not in any danger, but they would simply have to perform the subsequent update manually.
“Just a notice: if you already updated, don't worry, everything is ok. The only problem is that you will have to update to the upcoming version manually. But there is no any danger,” Joomla posted on Facebook.
Both glitches have been reported by Horst Görtz Institute for IT-Security (HGI), Ruhr-University Bochum, Germany, on September 24.