Joomla – one of the most popular open source Content Management System (CMS) software packages for website development, has reportedly patched three critical vulnerabilities in its software package.This is the complete Tutorial for this joomla sql injection vulnerability.
The flaws, exist in the Joomla version 3.2 to 3.4.4, include SQL injection vulnerabilities that could allow hackers to take admin privileges on most customer websites and they can hack complete joomla site database.
The patch was an upgrade to Joomla version 3.4.5 and only contained security fixes which are recently patched.
The vulnerability, discovered by Trustwave SpiderLabs researcher Asaf Orpani and Netanel Rubin of PerimeterX, could be exploited to attack a website with SQL injections.
SQL injection (SQLi) is an injection attack wherein a black hack can inject/insert malicious SQL commands/query (malicious payloads) through the input data from the client to the application.
The recent SQLi in Joomla discovered by Orpani are:
- Exploit the vulnerability to gain the administrator session key
- On executing the request on Joomla site returns the admin session key.
- Using the admin key to hijack the session and further gaining:
- Access to the /administrator/ folder
- Administrator privileges
- Access to the administrator Control Panel
CVE-2015-7857 grants an unauthorized remote attacker . Once exploited, the attacker may gain full control of the website and execute additional attacks.
The vulnerability discovered in a basic module that doesn’t require any extensions, therefore, all the websites that use Joomla versions 3.2 (released in November 2013) and above are vulnerable.
Scientists also develop the related vulnerabilities, CVE-2015-7858 and CVE-2015-7297, as part of their research.
Joomla code resided in /administrator /components /com_contenthistory/ models/history.phpwas vulnerable to SQL injection.
Orpani came across many weak links in this code, which leads:
Vulnerability in DRUPAL
The famous CMS Drupal has also patched an Open Redirect vulnerability in the Overlay module in its basic internal project (7.x versions prior to 7.41).
The Overlay module in Drupal core project shows administrative pages as a layer on the current page, rather than changing the page in the browser window.
However, the module doesn’t necessiarly validate URLs prior to displaying their contents, which leads to an open redirect vulnerability, according to Drupal’s official blog.
Joomla! 3.4.5 is now available. This is a security release for the 3.x series of Joomla which tells a critical security vulnerability. We strongly ask that you update your sites immediately. This release only contains the security fixtures; no other differences have been made compared to the Joomla 3.4.4 release.
The vulnerability harms the site users with administrative rights; i.e. if only the “Access the administrative overlay” permission is enabled the vulnerability could be exploited.
the sites upgrade to Drupal version 7.41, is The correct option for the open redirect vulnerability was released and needs.
do not panic you can fix your CMS now!If you were not aware of these vulnerabilities.