New SQL Injection in Joomla! CMS Allows Attackers Full Administrative Privileges When Exploited
This posts gives you an overview of the new SQL Injection vulnerability identified in Joomla! CMS web application. When exploited, this new vulnerability allows attackers to gain full administrative access on the target website.
Your Information will be kept private.
Your Information will be kept private.
This is an archive post from the Netsparker (now Invicti) blog. Please note that the content may not reflect current product names and features in the Invicti offering.
A few hours back Joomla! released version 3.4.5 of their CMS to address a critical unauthenticated SQL Injection vulnerability that was identified by Asaf Orpani, a security researcher of Trustwave.
The Joomla! SQL Injection Technical Details
The SQL injection can enable an attacker to gain full administrative access to a target website when combined with other security weaknesses in Joomla! CMS. The SQL injection was discovered in a core module of Joomla! CMS, therefore all websites running Joomla! CMS version 3.2.* to 3.4.4 are affected by this vulnerability.
The technical details of the SQL Injection vulnerability and several other variations of it can be found in:
- CVE-2015-7297
- CVE-2015-7857
- CVE-2015-7858
Considering how easy it is to exploit this vulnerability, and the popularity of Joomla! CMS expect a widespread attack and thousands of Joomla! CMS websites to be hacked.
Netsparker Heuristically Detects The New SQL Injection in Joomla!
Both Netsparker Desktop and Netsparker Enterprise web application security scanners can already detect this new critical SQL injection in Joomla! CMS, therefore you do no need to update or wait for updates from us.
Netsparker scanners can heuristically identify this new SQL injection in Joomla! CMS, therefore they do not simply flag the vulnerability by checking the version of Joomla! CMS you are running on your website.
