Today we became aware of a critical vulnerability in a popular content management system Joomla!
All versions from 1.5 to 3.4.5 are vulnerable. Vendor has already issued a patch, a new version 3.4.6 is available and can be downloaded from vendor’s website.
Sucuri was the first company who published information about this vulnerability. They claim, exploitation in the wild began on December 12, two days before the official patch was released. We have no knowledge of the number of websites that was compromised during this attack.
Users have spotted several IP addresses that where used during exploitation:
74.3.170.33
146.0.72.83
194.28.174.106
The vulnerability is caused by insufficient filtration of HTTP User-Agent header before storing it into database. A remote attacker can use a specially crafted HTTP User-Agent header to execute arbitrary PHP code on the target system with privileges of the web server.
CVSSv3 score for this vulnerability is: 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).
We advise to install the latest patch ASAP. In case installation of the patch is impossible, you can use the following rules to stop exploitation of this vulnerability:
Apache
Use ModRewrite rules to replace dangerous characters in User-Agent header:
RewriteCond %{HTTP_USER_AGENT} .*\{.* [NC]
RewriteRule .* - [F,L]
nginx
if ( $http_user_agent ~* (\{|\}) ) {
return 403;
}
IIS
<filteringRules>
<filteringRule name="Block Joomla 0day" scanUrl="false" scanQueryString="false">
<scanHeaders>
<clear />
<add requestHeader="User-Agent" />
</scanHeaders>
<denyStrings>
<clear />
<add string="}" />
</denyStrings>
<appliesTo>
<clear />
</appliesTo>
</filteringRule>
</filteringRules>