A Joomla update released on Wednesday patches a critical SQL injection vulnerability that can be easily exploited by a remote attacker to obtain sensitive data and hijack websites.
The flaw, discovered by Sucuri researcher Marc-Alexandre Montpas and tracked as CVE-2017-8917, affects Joomla 3.7.0 and it has been addressed with the release of version 3.7.1. This is the only security issue fixed in the latest version.
According to Montpas, the vulnerability only affects Joomla 3.7 because it’s related to a new component introduced in this version. The component in question is com_fields, which borrows views from an admin-side component that has the same name.
Since com_fields is a public-facing component, anyone can exploit the vulnerability without needing a privileged account on the targeted website. An attacker can leverage the flaw to inject nested SQL queries via a specially crafted URL.
“Given the nature of SQL Injection attacks, there are many ways an attacker could cause harm – examples include leaking password hashes and hijacking a logged-in user’s session (the latter results in a full site compromise if an administrator session is stolen),” Montpas warned in a blog post published on Wednesday.
Joomla users have been advised to update their installations as soon as possible. Joomla developers even issued a pre-release security announcement last week to inform users of the “very important security fix.”
While Sucuri has not released a proof-of-concept (PoC) exploit, it has made public the flaw’s technical details. Given that it’s easy to exploit, it would not be surprising to see attacks leveraging this vulnerability in the next days.
In October 2016, cybercriminals started exploiting a couple of Joomla vulnerabilities in less than 24 hours after they were patched, despite the fact that only limited technical details had been made public. At the time, attackers leveraged the flaws to create rogue user accounts on popular websites.
One year prior, attackers started hacking Joomla websites within hours after the details of a SQL injection vulnerability were disclosed by researchers. A few months later, Joomla developers rushed to patch a zero-day that had been exploited in the wild for at least two days before fixes were released.