Joomla patches serious SQLi flaw

The secure version is 3.4.5

joomla vulnerability

Asaf Orpani of Trustwave's SpiderLabs found a SQL injection vulnerability that could allow adminstrative access to the Joomla content management system.

Credit: Trustwave SpiderLabs

Joomla, a popular content management system, released patches on Thursday for a vulnerability that can allow an attacker to get full administrative access to a website.

Joomla versions 3.2 through 3.4.4 are vulnerable, and the latest version is 3.4.5.

The SQL injection flaw was found by Asaf Orphani, a researcher with Trustwave's SpiderLabs, and Netanel Rubin of PerimeterX.

SQL injection flaws occur when a backend database executes a malicious query when it shouldn't. The type of vulnerability is one of the most prevalent ones within web applications.

In the case of Joomla, Orpani found he could extract a session ID for Joomla's database.

"By pasting the session ID we've extracted -- that of an administrator in this case -- to the cookie section in the request to access the /administrator/ folder, we're granted administrator privileges and access to the administrator Control Panel," he wrote in a blog post.

Since Joomla can also accommodate shopping cart such as VirtueMart, e-commerce sites are also vulnerable to being exploited, Orphani wrote.

To express your thoughts on Computerworld content, visit Computerworld's Facebook page, LinkedIn page and Twitter stream.
Windows 10 annoyances and solutions
Shop Tech Products at Amazon
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.