The open-source Joomla content management system has a critical SQL injection vulnerability. When combined with other security weaknesses, Trustwave SpiderLabs researchers were able to gain full administrative access to any vulnerable Joomla site.
Joomla is the second most popular content management system in the world, second only to WordPress, with close to 3 million active installs worldwide. About 2.7% of the top 1 million sites use Joomla.
SQL Injection is one of the most common flaws in web applications and in the most critical cases like this, allows for attackers to gain complete access to sensitive data in the backend database behind a Web application.
The flaw enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the website and execute additional attacks. Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.
Several other code elements of Joomla contribute to the exploitation of the vulnerability as well, said Trustwave SpiderLabs researcher Asaf Orpani, in an analysis.
Trustwave responsibly disclosed the vulnerability by first contacting Joomla, working with them on the patch and coordinating the release of additional information simultaneously with the patch. Trustwave recommends all users to upgrade to 3.4.5. Users that cannot patch or upgrade are recommended to deploy virtual patching technologies like a web application firewall that can block the exploit.