14 December 2015

Zero-day Vulnerability in Joomla!

Zero-day Vulnerability in Joomla!

Today we became aware of a critical vulnerability in a popular content management system Joomla!

All versions from 1.5 to 3.4.5 are vulnerable. Vendor has already issued a patch, a new version 3.4.6 is available and can be downloaded from vendor’s website.

Sucuri was the first company who published information about this vulnerability. They claim, exploitation in the wild began on December 12, two days before the official patch was released. We have no knowledge of the number of websites that was compromised during this attack.

Users have spotted several IP addresses that where used during exploitation:

74.3.170.33
146.0.72.83
194.28.174.106

The vulnerability is caused by insufficient filtration of HTTP User-Agent header before storing it into database. A remote attacker can use a specially crafted HTTP User-Agent header to execute arbitrary PHP code on the target system with privileges of the web server.

CVSSv3 score for this vulnerability is: 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

We advise to install the latest patch ASAP. In case installation of the patch is impossible, you can use the following rules to stop exploitation of this vulnerability:

Apache

Use ModRewrite rules to replace dangerous characters in User-Agent header:

RewriteCond %{HTTP_USER_AGENT} .*\{.* [NC]
RewriteRule .* - [F,L]

nginx

if ( $http_user_agent ~* (\{|\}) ) {
return 403;
}

IIS

<filteringRules>
<filteringRule name="Block Joomla 0day" scanUrl="false" scanQueryString="false">
<scanHeaders>
<clear />
<add requestHeader="User-Agent" />
</scanHeaders>
<denyStrings>
<clear />
<add string="}" />
</denyStrings>
<appliesTo>
<clear />
</appliesTo>
</filteringRule>
</filteringRules>

Back to the list

Latest Posts

MS January patches 2.0: first zero-day in MS Word this year and 23 other bugs

MS January patches 2.0: first zero-day in MS Word this year and 23 other bugs

Microsoft released patches for 24 vulnerabilities, including zero-day in Word/Office software.
9 January 2018
Microsoft unexpectedly patched 33 vulnerabilities in Windows and its browsers

Microsoft unexpectedly patched 33 vulnerabilities in Windows and its browsers

Patch Tuesday came a bit earlier this year.
4 January 2018
Black Tuesday: Microsoft issued patches for 33 vulnerabilities

Black Tuesday: Microsoft issued patches for 33 vulnerabilities

Microsoft patched 32 vulnerabilities in their products. No zero-days this month.
12 December 2017