Menu
Hurry! Wait! Go! Joomla stumbles with patch for serious vulnerability

Hurry! Wait! Go! Joomla stumbles with patch for serious vulnerability

Joomla patches were reissued after the first versions broke the update process of existing installations

The Joomla project pushed out new updates for its popular content management system Wednesday after a glitch was found in the high-priority security patches it released a day before.

Joomla versions 3.3.5, 3.2.6 and 2.5.26 were released Tuesday to patch a moderate-risk remote file inclusion vulnerability and a denial-of-service issue. However, hours after the updates were made available, Joomla's developers issued an urgent request for users to delay upgrading.

"Unfortunately, due to a small technical issue we need to release another version very soon," the project said on Facebook, apologizing for the situation.

New Joomla versions 3.3.6, 3.2.7 and 2.5.27 were released Wednesday to address the newly identified issue and a few others.

"This release addresses an issue related to the core update component, one regression in the user password reset process, and adds a fallback upgrade mechanism for the update component," the Joomla Project said in the new release notes.

Users who already deployed Tuesday's patches will not be able to upgrade to new Joomla versions through the normal update component, and will have to use the Extension Manager instead.

Remote file inclusion vulnerabilities are dangerous because they can allow attackers to install backdoors on vulnerable sites and modify files hosted on site servers. However, in the case of this particular Joomla flaw the risk is reduced because the attacker needs to time an attack for exactly when a Joomla package is being extracted during an update operation.

According to Web software development firm Akeeba, whose products are also affected by the issue, the attack window is typically five to 90 seconds and requires the attacker to know when this operation will occur.

"Due to the special conditions required merely having the affected software installed DOES NOT make your site vulnerable," the firm said in a security advisory. "However, this security issue can be used for targeted attacks against valuable targets."


Follow Us

Join the newsletter!

Error: Please check your email address.

Tags patchessecurityAkeebajoomlapatch managementExploits / vulnerabilities

Featured

Slideshows

A snapshot of the Kiwi partners set to shine at the Reseller News Awards

A snapshot of the Kiwi partners set to shine at the Reseller News Awards

With the 2017 Reseller News ICT Industry Awards only weeks away, Reseller News profiles the power line-up of partners set to dominate the biggest night on the channel calendar. ​Ranging from the enterprise, down through the mid-market and small business sectors into the heart of the start-up scene, the end result is the most diverse and wide-ranging partner line-up in the history of the Awards, playing host to the leading innovators of the past 12 months.​

A snapshot of the Kiwi partners set to shine at the Reseller News Awards
Show Comments