14 December 2015

Zero-day Vulnerability in Joomla!

Zero-day Vulnerability in Joomla!

Today we became aware of a critical vulnerability in a popular content management system Joomla!

All versions from 1.5 to 3.4.5 are vulnerable. Vendor has already issued a patch, a new version 3.4.6 is available and can be downloaded from vendor’s website.

Sucuri was the first company who published information about this vulnerability. They claim, exploitation in the wild began on December 12, two days before the official patch was released. We have no knowledge of the number of websites that was compromised during this attack.

Users have spotted several IP addresses that where used during exploitation:

74.3.170.33
146.0.72.83
194.28.174.106

The vulnerability is caused by insufficient filtration of HTTP User-Agent header before storing it into database. A remote attacker can use a specially crafted HTTP User-Agent header to execute arbitrary PHP code on the target system with privileges of the web server.

CVSSv3 score for this vulnerability is: 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

We advise to install the latest patch ASAP. In case installation of the patch is impossible, you can use the following rules to stop exploitation of this vulnerability:

Apache

Use ModRewrite rules to replace dangerous characters in User-Agent header:

RewriteCond %{HTTP_USER_AGENT} .*\{.* [NC]
RewriteRule .* - [F,L]

nginx

if ( $http_user_agent ~* (\{|\}) ) {
return 403;
}

IIS

<filteringRules>
<filteringRule name="Block Joomla 0day" scanUrl="false" scanQueryString="false">
<scanHeaders>
<clear />
<add requestHeader="User-Agent" />
</scanHeaders>
<denyStrings>
<clear />
<add string="}" />
</denyStrings>
<appliesTo>
<clear />
</appliesTo>
</filteringRule>
</filteringRules>

Back to the list

Latest Posts

Remote code execution in NetBSD – nasty and potentially wormable bug

Remote code execution in NetBSD – nasty and potentially wormable bug

NetBSD users are advised to install patched ASAP.
12 February 2018
Zero-day vulnerability in Adobe Flash Player

Zero-day vulnerability in Adobe Flash Player

Second zero-day this year. No remedy available.
1 February 2018
Jackpotting: Weird Attack On ATM

Jackpotting: Weird Attack On ATM

Jackpotting requires not only technical skills and great coordination but also acting skills, audacity and composure.
30 January 2018
Featured vulnerabilities
Remote code execution in Microsoft Internet Explorer
Сritical Not Patched | 21 Apr, 2018
Privilege escalation in spice-gtk
Medium Not Patched | 21 Apr, 2018
Multiple vulnerabilities in GEGL
High Not Patched | 21 Apr, 2018
Security restrictions bypass in 7-zip
Low Not Patched | 21 Apr, 2018