Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Critical SQL Injection Flaw Patched in Joomla

A Joomla update released on Wednesday patches a critical SQL injection vulnerability that can be easily exploited by a remote attacker to obtain sensitive data and hijack websites.

A Joomla update released on Wednesday patches a critical SQL injection vulnerability that can be easily exploited by a remote attacker to obtain sensitive data and hijack websites.

The flaw, discovered by Sucuri researcher Marc-Alexandre Montpas and tracked as CVE-2017-8917, affects Joomla 3.7.0 and it has been addressed with the release of version 3.7.1. This is the only security issue fixed in the latest version.

According to Montpas, the vulnerability only affects Joomla 3.7 because it’s related to a new component introduced in this version. The component in question is com_fields, which borrows views from an admin-side component that has the same name.

Since com_fields is a public-facing component, anyone can exploit the vulnerability without needing a privileged account on the targeted website. An attacker can leverage the flaw to inject nested SQL queries via a specially crafted URL.

“Given the nature of SQL Injection attacks, there are many ways an attacker could cause harm – examples include leaking password hashes and hijacking a logged-in user’s session (the latter results in a full site compromise if an administrator session is stolen),” Montpas warned in a blog post published on Wednesday.

Joomla users have been advised to update their installations as soon as possible. Joomla developers even issued a pre-release security announcement last week to inform users of the “very important security fix.”

While Sucuri has not released a proof-of-concept (PoC) exploit, it has made public the flaw’s technical details. Given that it’s easy to exploit, it would not be surprising to see attacks leveraging this vulnerability in the next days.

In October 2016, cybercriminals started exploiting a couple of Joomla vulnerabilities in less than 24 hours after they were patched, despite the fact that only limited technical details had been made public. At the time, attackers leveraged the flaws to create rogue user accounts on popular websites.

Advertisement. Scroll to continue reading.

One year prior, attackers started hacking Joomla websites within hours after the details of a SQL injection vulnerability were disclosed by researchers. A few months later, Joomla developers rushed to patch a zero-day that had been exploited in the wild for at least two days before fixes were released.

Related: Critical Vulnerabilities Patched in Joomla

Related: Joomla Patches Dangerous Security Flaws

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...