Menu
Hurry! Wait! Go! Joomla stumbles with patch for serious vulnerability

Hurry! Wait! Go! Joomla stumbles with patch for serious vulnerability

Joomla patches were reissued after the first versions broke the update process of existing installations

The Joomla project pushed out new updates for its popular content management system Wednesday after a glitch was found in the high-priority security patches it released a day before.

Joomla versions 3.3.5, 3.2.6 and 2.5.26 were released Tuesday to patch a moderate-risk remote file inclusion vulnerability and a denial-of-service issue. However, hours after the updates were made available, Joomla's developers issued an urgent request for users to delay upgrading.

"Unfortunately, due to a small technical issue we need to release another version very soon," the project said on Facebook, apologizing for the situation.

New Joomla versions 3.3.6, 3.2.7 and 2.5.27 were released Wednesday to address the newly identified issue and a few others.

"This release addresses an issue related to the core update component, one regression in the user password reset process, and adds a fallback upgrade mechanism for the update component," the Joomla Project said in the new release notes.

Users who already deployed Tuesday's patches will not be able to upgrade to new Joomla versions through the normal update component, and will have to use the Extension Manager instead.

Remote file inclusion vulnerabilities are dangerous because they can allow attackers to install backdoors on vulnerable sites and modify files hosted on site servers. However, in the case of this particular Joomla flaw the risk is reduced because the attacker needs to time an attack for exactly when a Joomla package is being extracted during an update operation.

According to Web software development firm Akeeba, whose products are also affected by the issue, the attack window is typically five to 90 seconds and requires the attacker to know when this operation will occur.

"Due to the special conditions required merely having the affected software installed DOES NOT make your site vulnerable," the firm said in a security advisory. "However, this security issue can be used for targeted attacks against valuable targets."


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags securitypatch managementjoomlapatchesExploits / vulnerabilitiesAkeeba

Featured

Slideshows

Meet the leading female front runners of the Kiwi channel

Meet the leading female front runners of the Kiwi channel

Reseller News honoured the leading female front runners of the New Zealand channel at the 2018 Women in ICT Awards (WIICTA) in Auckland. The awards honoured standout individuals across seven categories, spanning Entrepreneur; Innovation; Rising Star; Shining Star; Community; Technical and Achievement.

Meet the leading female front runners of the Kiwi channel
Meet the top performing customer-centric Microsoft channel partners

Meet the top performing customer-centric Microsoft channel partners

Microsoft honoured leading partners across the channel following a year of customer innovation and market growth in New Zealand. The 2018 Microsoft Partner Awards recognised excellence within the context of the end-user, spanning a host of emerging and established providers.

Meet the top performing customer-centric Microsoft channel partners
Reseller News launches new-look Awards at 2018 Judges’ Lunch

Reseller News launches new-look Awards at 2018 Judges’ Lunch

Introducing the Reseller News Innovation Awards, launched to the channel at the 2018 Judges’ Lunch in Auckland. With more than 70 judges now part of the voting panel, the new-look awards will reflect the changing dynamics of the channel, recognising excellence across customer value and innovation - spanning start-ups, partners, distributors and vendors.

Reseller News launches new-look Awards at 2018 Judges’ Lunch
Show Comments