December 29, 2015 By Douglas Bonderud 2 min read

According to US-CERT, Joomla has just released version 3.4.7 of its open-source content management system (CMS) in an effort to lock down two new vulnerabilities, one of which could grant attackers full control of an affected website. As noted by SecurityWeek, the severity of these flaws didn’t go unnoticed: Symantec tracked an average of 16,000 hits per day attempting to exploit the issue. Here’s a rundown of what’s at risk with an unpatched Joomla install.

Joomla Security Risks

For almost a decade, a critical remote command execution vulnerability has existed in Joomla; versions 1.5 through 3.4.5 are affected by CVE-2015-8562. According to Ars Technica, while Joomla security teams patched the vulnerability within two days, the bug was already being exploited in the wild on IP addresses 146.0.72.83, 74.3.170.33 and 194.28.174.106. In addition, any events using either “JDatabaseDriverMysqli” or “O:” in the user agent were likely attack vectors.

So what’s the big risk here? CVE-2015-8562 leverages an issue with poor filtering when Joomla saves browser session values. As detailed by Sucuri, exploiting this flaw and combining it with the result of MySQL meeting a UTF-8 character that isn’t supported by uft8_general_ci — which causes data truncation from a specific value — it’s possible to launch an attack that could fully compromise servers. Cybercriminals then use the servers as malware hosts or sell access to them for a fee on the Dark Web.

Big Numbers

Given the relative simplicity of the flaw and the substantial impact if exploited, its no wonder attackers were eager to jump on the problem in the wild. In an effort to determine which servers are still vulnerable, cybercriminals have been swinging for the fences, sending out HTTP requests and analyzing the responses of phpinfo() and eval(chr()) functions to find likely targets. The result? Symantec clocked a high point of more than 20,000 attempts in a single day, with day-to-day averages hovering around 16,000 hits, according to SecurityWeek.

It makes sense that cybercriminals would be working overtime trying to exploit the vulnerability. While WordPress still dominates the CMS marketplace, Joomla holds a solid second place with over 550,000 Web pages using the open-source service, including Linux.com, The Hill online newspaper and Harvard University. Full access to any of these servers would let malicious actors wreak havoc; Malware distribution, DDoS attacks and stolen data are all potential outcomes.

The takeaway here? Even with Joomla security on the ball, there’s no guarantee that existing code flaws won’t crop up and cause problems for big companies. The solution? Active monitoring for starters — just because an application, CMS or cloud-based service seems secure, that’s no reason to turn a blind eye if odd behaviors start to emerge. Immediate patching is also critical. Within two days, Joomla rolled out version 3.4.6 and closed the security hole but in the time hits were already skyrocketing. Two more days and 32,000 attacks could slip through. A week? More than 110,000.

It’s simple: Attackers love vulnerabilities. Existing problems continue to emerge, even in well-used and thoroughly tested software. No protection is perfect, but dodging the hacker haymaker requires constant vigilance — and immediate updating.

More from

Ransomware payouts hit all-time high, but that’s not the whole story

3 min read - Ransomware payments hit an all-time high of $1.1 billion in 2023, following a steep drop in total payouts in 2022. Some factors that may have contributed to the decline in 2022 were the Ukraine conflict, fewer victims paying ransoms and cyber group takedowns by legal authorities.In 2023, however, ransomware payouts came roaring back to set a new all-time record. During 2023, nefarious actors targeted high-profile institutions and critical infrastructure, including hospitals, schools and government agencies.Still, it’s not all roses for…

What should an AI ethics governance framework look like?

4 min read - While the race to achieve generative AI intensifies, the ethical debate surrounding the technology also continues to heat up. And the stakes keep getting higher.As per Gartner, “Organizations are responsible for ensuring that AI projects they develop, deploy or use do not have negative ethical consequences.” Meanwhile, 79% of executives say AI ethics is important to their enterprise-wide AI approach, but less than 25% have operationalized ethics governance principles.AI is also high on the list of United States government concerns.…

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today