2 min read

For eight years, hackers have been able to exploit this password-stealing flaw in Joomla

Graham CLULEY

September 25, 2017

For eight years, hackers have been able to exploit this password-stealing flaw in Joomla

For the last eight years a critical vulnerability has lurked within the code of the Joomla CMS which could have allowed malicious hackers to steal every user’s login credentials – including those belonging to administrators.

A CMS is the content management system – a piece of software which manages all of the content on your website, ensuring that visitors get to see the webpage and images that they”re expecting to see. As such, for many companies, a CMS is an essential part of how they deliver content to customers.

For that reason, it’s really important that you keep your website’s CMS patched against the latest discovered vulnerabilities.

The serious security hole, which was patched in version 3.8 of Joomla released last week, was disclosed by researchers at German security firm RIPS Tech.

A previously unknown injection vulnerability exists in Joomla’s LDAP (Lightweight Directory Access Protocol) authentication code. Because affected versions of the software does not properly sanitise user input, the vulnerability can be exploited through a website’s CMS login page, as the researchers explain:

The lack of input sanitization of the username credential used in the LDAP query allows an adversary to modify the result set of the LDAP search. By using wildcard characters and by observing different authentication error messages, the attacker can literally search for login credentials progressively by sending a row of payloads that guess the credentials character by character.

A successful attack can lead to hackers stealing administrator login credentials, and gaining complete control over a website.

Joomla is one of the world’s most popular content management systems, and is used by millions of websites. As a result, any vulnerability that could lead to administrator passwords being leaked should be considered extremely alarming. What makes the discovery even more shocking, however, is that it has been possible for hackers to exploit the flaw since Joomla version 1.5, released eight years ago.

Joomla is open source software, and is regularly reviewed for vulnerabilities for security holes – and yet no-one found this critical flaw until now. The idea of open source software, being available for anyone to review and check for vulnerabilities, is a great one. But just because anyone can hunt for security holes in 500,000 lines of code doesn’t mean that every bug will be found – or that critical vulnerabilities that could lead to your entire website being compromised will be uncovered in a timely fashion.

Thankfully, in this case, Joomla confirmed and then fixed the vulnerability in a timely fashion after researchers told them about it. You can do your bit to reduce the risk of your site being compromised by updating to the latest version of your CMS, and ensuring that you keep a close eye in the future on emerging security issues.

It’s just a shame that it took eight years for this Joomla security hole to be discovered, and that we’ll never know if malicious hackers exploited it in the meantime.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read