Menu
Joomla releases patch for serious SQLi flaw

Joomla releases patch for serious SQLi flaw

The secure version is 3.4.5

Joomla, a popular content management system, released patches on Thursday for a vulnerability that can allow an attacker to get full administrative access to a website.

Joomla versions 3.2 through 3.4.4 are vulnerable, and the latest version is 3.4.5.

The SQL injection flaw was found by Asaf Orphani, a researcher with Trustwave's SpiderLabs, and Netanel Rubin of PerimeterX.

SQL injection flaws occur when a backend database executes a malicious query when it shouldn't. The type of vulnerability is one of the most prevalent ones within web applications.

In the case of Joomla, Orpani found he could extract a session ID for Joomla's database.

"By pasting the session ID we've extracted -- that of an administrator in this case -- to the cookie section in the request to access the /administrator/ folder, we're granted administrator privileges and access to the administrator Control Panel," he wrote in a blog post.

Since Joomla can also accommodate shopping cart such as VirtueMart, e-commerce sites are also vulnerable to being exploited, Orphani wrote.


Follow Us

Join the newsletter!

Or
Error: Please check your email address.

Featured

Slideshows

Data breach notification laws in NZ: How can partners prepare?

Data breach notification laws in NZ: How can partners prepare?

This exclusive Reseller News Roundtable outlined the responsibilities facing security partners today, assessing risk while evaluating the role of the vendor in providing added layers of protection.

Data breach notification laws in NZ: How can partners prepare?
Meet the leading StorageCraft partners across A/NZ

Meet the leading StorageCraft partners across A/NZ

StorageCraft honoured its top performing partners across Australia and New Zealand (A/NZ), recognising channel excellence following a strong year of growth.

Meet the leading StorageCraft partners across A/NZ
Show Comments