What's New In Joomla 3.4.8?
Joomla has just released version 3.4.8 of its open-source content management system (CMS) in an effort to lock down two new vulnerabilities, one of which could grant attackers full control of an affected website. As noted by SecurityWeek, the severity of these flaws didn’t go unnoticed: Symantec tracked an average of 16,000 hits per day attempting to exploit the issue. Here’s a rundown of what’s at risk with an unpatched Joomla install.
Joomla 3.4.8 fixes some issues found in the 3.4.7 release on Monday to do with browser sessions. All reported bugs from the 3.4.7 update have been fixed in this release:
- Users were unable to edit or create items after the 3.4.7 update
- Fatal error about connection->stat() not existing on external database connections
- After session timeout users could still navigate the backend but without being able to create/edit items or use pagination/filters
Joomla Security Risks
For almost a decade, a critical remote command execution vulnerability has existed in Joomla; versions 1.5 through 3.4.5 are affected by CVE-2015-8562. According to Ars Technica, while Joomla security teams patched the vulnerability within two days, the bug was already being exploited in the wild on IP addresses 22.214.171.124, 126.96.36.199 and 188.8.131.52. In addition, any events using either “JDatabaseDriverMysqli” or “O:” in the user agent were likely attack vectors.
So what’s the big risk here? CVE-2015-8562 leverages an issue with poor filtering when Joomla saves browser session values. As detailed by Sucuri, exploiting this flaw and combining it with the result of MySQL meeting a UTF-8 character that isn’t supported by uft8_general_ci — which causes data truncation from a specific value — it’s possible to launch an attack that could fully compromise servers. Cybercriminals then use the servers as malware hosts or sell access to them for a fee on the Dark Web.
Given the relative simplicity of the flaw and the substantial impact if exploited, its no wonder attackers were eager to jump on the problem in the wild. In an effort to determine which servers are still vulnerable, cybercriminals have been swinging for the fences, sending out HTTP requests and analyzing the responses of phpinfo() and eval(chr()) functions to find likely targets. The result? Symantec clocked a high point of more than 20,000 attempts in a single day, with day-to-day averages hovering around 16,000 hits, according to SecurityWeek.
It makes sense that cybercriminals would be working overtime trying to exploit the vulnerability. While WordPress still dominates the CMS marketplace, Joomla holds a solid second place with over 550,000 Web pages using the open-source service, including Linux.com, The Hill online newspaper and Harvard University. Full access to any of these servers would let malicious actors wreak havoc; Malware distribution, DDoS attacks and stolen data are all potential outcomes.
The takeaway here? Even with Joomla security on the ball, there’s no guarantee that existing code flaws won’t crop up and cause problems for big companies. The solution? Active monitoring for starters — just because an application, CMS or cloud-based service seems secure, that’s no reason to turn a blind eye if odd behaviors start to emerge. Immediate patching is also critical. Within two days, Joomla rolled out version 3.4.6 and closed the security hole but in the time hits were already skyrocketing. Two more days and 32,000 attacks could slip through. A week? More than 110,000.
Best Joomla Hosting Recommendation
ASPHostPortal.com provides our customers with Plesk Panel, one of the most popular and stable control panels for Windows hosting, as free. You could also see the latest .NET framework, a crazy amount of functionality as well as Large disk space, bandwidth, MSSQL databases and more. All those give people the convenience to build up a powerful site in Windows server. We offers Joomla hosting starts from $5/month only. We also guarantees 30 days money back and guarantee 99.9% uptime. If you need a reliable affordable Joomla Hosting, we should be your best choice.