tagline: Confidence in the Connected World
CIS Logo
HomeResourcesAdvisoriesMultiple vulnerabilities in Joomla Could Allow Arbitrary Code Execution

Multiple vulnerabilities in Joomla Could Allow Arbitrary Code Execution

MS-ISAC ADVISORY NUMBER:

2015-155

DATE(S) ISSUED:

12/22/2015

OVERVIEW:

Multiple vulnerabilities have been discovered in Joomla, which could result in remote code execution or SQL injection. Joomla is an open source content management system for websites. This vulnerability can be exploited by an attacker sending a maliciously crafted packet to a vulnerable server.

Successful exploitation of this vulnerability could allow for an attacker to execute arbitrary code in the context of the browser, perform SQL injection, obtain sensitive information, bypass security restrictions, or cause denial-of-service conditions.

THREAT INTELLIGENCE:

There are reports of this vulnerability being exploited in the wild.

SYSTEMS AFFECTED:

  • Joomla versions 1.5 through 3.4.6 (vulnerable to Remote Code Execution)
  • Joomla versions 3.0.0 through 3.4.6 (vulnerable to SQL Injection)

RISK:

Goverment:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
LOW

TECHNICAL SUMMARY:

A remote code execution vulnerability exists in Joomla versions 1.5 through 3.4.6 when the session deserializer calls php_var_unserialize() multiple times (CVE-2015-8566). A SQL injection vulnerability exists in Joomla! CMS versions 3.0.0 through 3.4.6 due to inadequate filtering of request data. These vulnerabilities may be exploited by a remote attacker sending a maliciously crafted packet to a vulnerable server. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code in the context of the application, obtain sensitive information, bypass security restrictions, or cause denial-of-service conditions. It is worth noting that the vulnerability exists in PHP itself and was remediated in September with the release of versions 5.4.45, 5.5.29, 5.6.13 and all iterations of version 7.

RECOMENDATIONS:

We recommend the following actions be taken:

Apply appropriate patches provided by Joomla to vulnerable Joomla 3.X systems immediately after appropriate testing.
Apply appropriate hotfixes provided by Joomla to vulnerable Joomla 1.0.0 and 2.3.0 systems immediately after appropriate testing.
Verify no unauthorized system modifications have occurred on system before applying patch.
Monitor intrusion detection systems for any signs of anomalous activity.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Information Hub: Advisories