14 December 2015

Zero-day Vulnerability in Joomla!

Zero-day Vulnerability in Joomla!

Today we became aware of a critical vulnerability in a popular content management system Joomla!

All versions from 1.5 to 3.4.5 are vulnerable. Vendor has already issued a patch, a new version 3.4.6 is available and can be downloaded from vendor’s website.

Sucuri was the first company who published information about this vulnerability. They claim, exploitation in the wild began on December 12, two days before the official patch was released. We have no knowledge of the number of websites that was compromised during this attack.

Users have spotted several IP addresses that where used during exploitation:

74.3.170.33
146.0.72.83
194.28.174.106

The vulnerability is caused by insufficient filtration of HTTP User-Agent header before storing it into database. A remote attacker can use a specially crafted HTTP User-Agent header to execute arbitrary PHP code on the target system with privileges of the web server.

CVSSv3 score for this vulnerability is: 10 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H).

We advise to install the latest patch ASAP. In case installation of the patch is impossible, you can use the following rules to stop exploitation of this vulnerability:

Apache

Use ModRewrite rules to replace dangerous characters in User-Agent header:

RewriteCond %{HTTP_USER_AGENT} .*\{.* [NC]
RewriteRule .* - [F,L]

nginx

if ( $http_user_agent ~* (\{|\}) ) {
return 403;
}

IIS

<filteringRules>
<filteringRule name="Block Joomla 0day" scanUrl="false" scanQueryString="false">
<scanHeaders>
<clear />
<add requestHeader="User-Agent" />
</scanHeaders>
<denyStrings>
<clear />
<add string="}" />
</denyStrings>
<appliesTo>
<clear />
</appliesTo>
</filteringRule>
</filteringRules>

Back to the list

Latest Posts

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Patch Tuesday: 60 vulnerabilities, 2 zero-days and good old LNK bugs

Today Microsoft has released security fixes for 60 vulnerabilities in total. Among them 2 zero-days in Windows Shell and Internet Explorer.
15 August 2018
Microsoft patches for June 2018

Microsoft patches for June 2018

50 vulnerabilities patched, some of them are potentially wormable.
13 June 2018
VPNFilter, attacks on routers and why external scanning is essential for security

VPNFilter, attacks on routers and why external scanning is essential for security

How to protect your router from VPNFilter and other attacks.
8 June 2018
Featured vulnerabilities
Denial of service in ImageMagick
Low Patched | 22 Oct, 2018
Multiple vulnerabilities in NAS devices
High Not Patched | 22 Oct, 2018