Joomla receives patches for zero-day SQL injection vulnerability, other flaws
Recently released security updates for the popular Joomla content management system (CMS) address a SQL injection vulnerability that poses a high risk and can be exploited to extract information from the databases of Joomla-based sites.
The Joomla Project released versions 3.2.3 and 2.5.19 of the open-source CMS Thursday. Both updates address two cross-site scripting (XSS) vulnerabilities in core components, but version 3.2.3 also patches a SQL injection flaw, publicly disclosed in early February, and an unauthorized log-in flaw in the Gmail-based authentication plug-in.
The Joomla advisory for the SQL injection vulnerability is lacking technical details. It only notes that the flaw, whose severity is rated as high, stems from inadequate escaping and affects Joomla CMS versions 3.1.0 through 3.2.2.
However, security researchers from Web security firm Sucuri have linked the patch to a zero-day exploit that was published on the Internet on Feb. 6 and targets the weblinks-categories id parameter.
I actually had one of our developers investigate [the patched vulnerability] for us and the flaw is the same one that was publicly released a month ago on exploit-db [an exploit listing website], said Daniel Cid, Sucuris CTO, Monday via email. What really shocked us is that Joomla took almost a month to release a patch for it.
The Joomla Project did not immediately respond to a request for comment.
Successful exploitation of this vulnerability requires the affected site to use the Similar Tags module, researchers from vulnerability intelligence firm Secunia said in a security advisory. According to the official Joomla documentation, Similar Tags is one of the modules shipped by default with the CMS.
SQL injection is one of the most common types of flaws exploited by attackers to compromise websites. Depending on their specific technical details, these vulnerabilities allow attackers to inject rogue code into sites or steal sensitive data from their databases.
The SQL injection vulnerability recently patched by Joomla does not appear to allow code injection, just the manipulation of SELECT calls to extract information from the database, including user names and password hashes, Cid said.
This might explain why widespread attacks targeting the flaw have not been reported so far, even though an exploit for it has been available for over a month.
See the rest here:
Joomla receives patches for zero-day SQL injection vulnerability, other flaws
- Joomla 1.5 - Upload An Image To Media Manager - Video - March 11th, 2014 [March 11th, 2014]
- Curso Joomla! 3.2 Bootstrap and Blank Template (parte 4) - Video - March 11th, 2014 [March 11th, 2014]
- How to Install Joomla 2.5 Manually or Browser Installation - Video - March 11th, 2014 [March 11th, 2014]
- Joomla Tutorial: 012 Create Survey's and Polls - Video - March 11th, 2014 [March 11th, 2014]
- Joomla Tutrial: 008 Make Web Pages Show up in Joomla - Video - March 11th, 2014 [March 11th, 2014]
- Joomla receives patches for zero-day SQL injection vulnerability - March 11th, 2014 [March 11th, 2014]
- 9.- Webmastertool y extensiones joomla - Video - March 10th, 2014 [March 10th, 2014]
- Responsive Music Player With Playlist Joomla Module - Video - March 10th, 2014 [March 10th, 2014]
- js jobs joomla 3.0 - Video - March 10th, 2014 [March 10th, 2014]
- Joomla Virtuemart new 2 version Stock Products category Placing How To place products Virtuemart - Video - March 10th, 2014 [March 10th, 2014]
- How To Upload Shell in Joomla! Site - Video - March 10th, 2014 [March 10th, 2014]
- Best Parallax Joomla Template 2014 - Video - March 10th, 2014 [March 10th, 2014]
- Video tutorial how to increase search charaters in joomla 2 5 - Video - March 10th, 2014 [March 10th, 2014]
- T-Download Store Overview - Video - March 10th, 2014 [March 10th, 2014]
- Demo of Joomla Platform mobilefriendly app 405 - Video - March 9th, 2014 [March 9th, 2014]
- Pastor 2 - Video - March 9th, 2014 [March 9th, 2014]
- Joomla Marketing - Video - March 9th, 2014 [March 9th, 2014]
- Joomla 3.x. How to manage Komento component integrations - Video - March 8th, 2014 [March 8th, 2014]
- 1.- Introduccin curso joomla 3x - Video - March 8th, 2014 [March 8th, 2014]
- Curso de Joomla! 3.2 - Template Blank e Bootstrap (parte 1) - Video - March 8th, 2014 [March 8th, 2014]
- T3 Framework - Admin area overview - General settings - Video - March 8th, 2014 [March 8th, 2014]
- Curso de Joomla! 3.2 - Bootstrap e Blank Template (parte 3) - Video - March 8th, 2014 [March 8th, 2014]
- Joomla! Resource Directory Unveiled at JoomlaDay Boston 2014 - March 8th, 2014 [March 8th, 2014]
- Stock Photo OG-RAC-2012: Joomla - Video - March 6th, 2014 [March 6th, 2014]
- Template Joomla! - Vida Yootheme Slideshow, Menu e Sidebar - Video - March 6th, 2014 [March 6th, 2014]
- Curso de Joomla! 3.2 - vdeo-tutorial Blank Template (parte3) - Video - March 6th, 2014 [March 6th, 2014]
- Curso de Joomla! 3.2 - vdeo-tutorial Blank Template (parte 5) - Video - March 6th, 2014 [March 6th, 2014]
- Curso de Joomla! 3.2 - vdeo-tutorial Blank Template (parte 6) - Video - March 6th, 2014 [March 6th, 2014]
- Curso de Joomla! 3.2 - Vdeo-tutorial Template Blank (parte 7) - Video - March 6th, 2014 [March 6th, 2014]
- Sql Joomla By Root Devil - Video - March 6th, 2014 [March 6th, 2014]
- How to Recover your Username and Password in Joomla 3 - Video - March 6th, 2014 [March 6th, 2014]
- Preview Fashion Design School Joomla Template TMT - Video - March 6th, 2014 [March 6th, 2014]
- How To Blog With Joomla - March 5 Joomla Detroit Meetup - Video - March 6th, 2014 [March 6th, 2014]
- Joomla extension tutorial - JA Extension Manager Component - Video - March 5th, 2014 [March 5th, 2014]
- The Best Free Responsive Joomla template ever - Purity III - Video - March 5th, 2014 [March 5th, 2014]
- Not a drop in the bucket: More than 1 million websites now use Drupal - March 5th, 2014 [March 5th, 2014]
- Joomla 2.5 - Configuracin global - Video - March 4th, 2014 [March 4th, 2014]
- Setting External Links in Joomla 3 using JCE - Video - March 4th, 2014 [March 4th, 2014]
- joomla 3.2 video tutorials for beginners, joomla 3.2 video tutorials step by step, - Video - March 4th, 2014 [March 4th, 2014]
- The New CMS - March 4th, 2014 [March 4th, 2014]
- Joomla! 3.2 - Publicando site no servidor com Akeeba Backup - Video - March 3rd, 2014 [March 3rd, 2014]
- Best Hosting Video | How to add RSS Newsfeeds in Joomla 2.5 - Video - March 3rd, 2014 [March 3rd, 2014]
- Joomla! 3.2 publicao do site com akeeba (parte 3) - Video - March 3rd, 2014 [March 3rd, 2014]
- Joomla! 3.2 publicando site com akeeba (parte2) - Video - March 3rd, 2014 [March 3rd, 2014]
- [SEMINARIO] Come creare un sito Joomla! in pochi passi - Video - March 3rd, 2014 [March 3rd, 2014]
- Joomla extension tutorials - JA Multilingual Component - Video - March 3rd, 2014 [March 3rd, 2014]
- Exploit Joomla site by JCE Editor using PHP Script and google dork - Video - March 3rd, 2014 [March 3rd, 2014]
- Joomla! 3.2 vde-tutorial Blank Template (parte2) - Video - March 3rd, 2014 [March 3rd, 2014]
- Preview Magnificent Beer Pub Joomla Template TMT - Video - March 2nd, 2014 [March 2nd, 2014]
- Best Hosting Video | How to create a database backup of Joomla 2.5 using phpMyAdmin - Video - March 2nd, 2014 [March 2nd, 2014]
- joomla installation step by step - Video - March 2nd, 2014 [March 2nd, 2014]
- Preview University Responsive Joomla Template TMT - Video - March 2nd, 2014 [March 2nd, 2014]
- how to install joomla 3-2-2 on localhost windows 7 easy 8 min - Video - February 28th, 2014 [February 28th, 2014]
- Joomla! User Group Toronto Steering Committee Meeting 2014/02/26 - Video - February 28th, 2014 [February 28th, 2014]
- Security Patch Joomla 1.5 - Video - February 28th, 2014 [February 28th, 2014]
- NetHosting Adds Unprecedented Web Maintenance Service to Product Lineup - February 28th, 2014 [February 28th, 2014]
- 63 Agency - A Pro Joomla 2.5 / 3.0 Responsive Template - Video - February 27th, 2014 [February 27th, 2014]
- joomla tutorial, joomla tutorials video, Joomla 3.2 Video Tutorials - Video - February 27th, 2014 [February 27th, 2014]
- Joomla Destination Container - Video - February 27th, 2014 [February 27th, 2014]
- Joomla! Framework Licensing Debate & Explaination - Video - February 27th, 2014 [February 27th, 2014]
- Preview White Apparel Joomla Template by Jade TMT - Video - February 27th, 2014 [February 27th, 2014]
- Best Hosting Video | How to create Featured (Front page) Articles in Joomla 2.5 - Video - February 27th, 2014 [February 27th, 2014]
- Best Hosting Video | How to block or delete a Super Administrator in Joomla 2.5 - Video - February 27th, 2014 [February 27th, 2014]
- Best Hosting Video | How to use Private Messaging in Joomla 2.5 - Video - February 27th, 2014 [February 27th, 2014]
- Best Hosting Video | How to manage Weblinks in Joomla 2.5 - Video - February 27th, 2014 [February 27th, 2014]
- Best Hosting Video | How to manage Languages in Joomla 2.5 - Video - February 27th, 2014 [February 27th, 2014]
- Best Hosting Video | How to create a Login module in Joomla 2.5 - Video - February 27th, 2014 [February 27th, 2014]
- ACL no Joomla! 3.2 - Video - February 25th, 2014 [February 25th, 2014]
- Joomla! 3.2 Autenticao com TwoFactor - Video - February 25th, 2014 [February 25th, 2014]
- JOOMLA 2.5 TUTORIAL LESSON 1 - Video - February 25th, 2014 [February 25th, 2014]
- Buzzflash.com Launches a New Joomla Portal for Truthout News Organization - February 25th, 2014 [February 25th, 2014]
- How to set user permissions in J!Extranet 5.0 and Joomla 2.5 - Video - February 25th, 2014 [February 25th, 2014]
- View different folder permissions in J!Extranet 5.0 and Joomla 2.5 - Video - February 25th, 2014 [February 25th, 2014]
- View user logs in J!Extranet 5.0 and Joomla 3.x - Video - February 25th, 2014 [February 25th, 2014]
- How to upload files, delete files, create folders in J!Extranet 5.0 Extended version and Joomla 2.5 - Video - February 25th, 2014 [February 25th, 2014]
- How to use My Vault in J!Extranet 5.0 and Joomla 3.x - Video - February 25th, 2014 [February 25th, 2014]
- How to remove front-end menu items in J!Extranet 5.0 and Joomla 3.x - Video - February 25th, 2014 [February 25th, 2014]
- How to set user permissions in J!Extranet 5.0 and Joomla 3.x - Video - February 25th, 2014 [February 25th, 2014]
- How to move folders in J!Extranet 5.0 and Joomla 3.x - Video - February 25th, 2014 [February 25th, 2014]
- How to set user permissions in J!Extranet 5.0 Extended version and Joomla 3.x - Video - February 25th, 2014 [February 25th, 2014]