14 December 2015

Zero-day Vulnerability in Joomla!

Zero-day Vulnerability in Joomla!

Today we became aware of a critical vulnerability in a popular content management system Joomla!

All versions from 1.5 to 3.4.5 are vulnerable. Vendor has already issued a patch, a new version 3.4.6 is available and can be downloaded from vendor’s website.

Sucuri was the first company who published information about this vulnerability. They claim, exploitation in the wild began on December 12, two days before the official patch was released. We have no knowledge of the number of websites that was compromised during this attack.

Users have spotted several IP addresses that where used during exploitation:

74.3.170.33
146.0.72.83
194.28.174.106

The vulnerability is caused by insufficient filtration of HTTP User-Agent header before storing it into database. A remote attacker can use a specially crafted HTTP User-Agent header to execute arbitrary PHP code on the target system with privileges of the web server.

CVSSv3 score for this vulnerability is: 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

We advise to install the latest patch ASAP. In case installation of the patch is impossible, you can use the following rules to stop exploitation of this vulnerability:

Apache

Use ModRewrite rules to replace dangerous characters in User-Agent header:

RewriteCond %{HTTP_USER_AGENT} .*\{.* [NC]
RewriteRule .* - [F,L]

nginx

if ( $http_user_agent ~* (\{|\}) ) {
return 403;
}

IIS

<filteringRules>
<filteringRule name="Block Joomla 0day" scanUrl="false" scanQueryString="false">
<scanHeaders>
<clear />
<add requestHeader="User-Agent" />
</scanHeaders>
<denyStrings>
<clear />
<add string="}" />
</denyStrings>
<appliesTo>
<clear />
</appliesTo>
</filteringRule>
</filteringRules>

Back to the list

Latest Posts

ATM Skimmers: What You Should Know

ATM Skimmers: What You Should Know

We hear about data breaches every day, criminals sell credit cards details (numbers, expiration date, and cardholders’ names) on black markets, and more people become victims of identity theft.
16 November 2017
Review of November’s Patch Tuesday for Microsoft, Adobe, and Mozilla

Review of November’s Patch Tuesday for Microsoft, Adobe, and Mozilla

The TOP software vendors fixed yesterday 153 vulnerabilities.
15 November 2017
Week in review: major cybersecurity incidents in November 6-12

Week in review: major cybersecurity incidents in November 6-12

The article contains a brief report of cybersecurity incidents for the past week.
14 November 2017