2 min read

For eight years, hackers have been able to exploit this password-stealing flaw in Joomla

Graham CLULEY

September 25, 2017

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
For eight years, hackers have been able to exploit this password-stealing flaw in Joomla

For the last eight years a critical vulnerability has lurked within the code of the Joomla CMS which could have allowed malicious hackers to steal every user’s login credentials – including those belonging to administrators.

A CMS is the content management system – a piece of software which manages all of the content on your website, ensuring that visitors get to see the webpage and images that they”re expecting to see. As such, for many companies, a CMS is an essential part of how they deliver content to customers.

For that reason, it’s really important that you keep your website’s CMS patched against the latest discovered vulnerabilities.

The serious security hole, which was patched in version 3.8 of Joomla released last week, was disclosed by researchers at German security firm RIPS Tech.

A previously unknown injection vulnerability exists in Joomla’s LDAP (Lightweight Directory Access Protocol) authentication code. Because affected versions of the software does not properly sanitise user input, the vulnerability can be exploited through a website’s CMS login page, as the researchers explain:

The lack of input sanitization of the username credential used in the LDAP query allows an adversary to modify the result set of the LDAP search. By using wildcard characters and by observing different authentication error messages, the attacker can literally search for login credentials progressively by sending a row of payloads that guess the credentials character by character.

A successful attack can lead to hackers stealing administrator login credentials, and gaining complete control over a website.

Joomla is one of the world’s most popular content management systems, and is used by millions of websites. As a result, any vulnerability that could lead to administrator passwords being leaked should be considered extremely alarming. What makes the discovery even more shocking, however, is that it has been possible for hackers to exploit the flaw since Joomla version 1.5, released eight years ago.

Joomla is open source software, and is regularly reviewed for vulnerabilities for security holes – and yet no-one found this critical flaw until now. The idea of open source software, being available for anyone to review and check for vulnerabilities, is a great one. But just because anyone can hunt for security holes in 500,000 lines of code doesn’t mean that every bug will be found – or that critical vulnerabilities that could lead to your entire website being compromised will be uncovered in a timely fashion.

Thankfully, in this case, Joomla confirmed and then fixed the vulnerability in a timely fashion after researchers told them about it. You can do your bit to reduce the risk of your site being compromised by updating to the latest version of your CMS, and ensuring that you keep a close eye in the future on emerging security issues.

It’s just a shame that it took eight years for this Joomla security hole to be discovered, and that we’ll never know if malicious hackers exploited it in the meantime.

tags


Author



Right now

Top posts

What is medical identity theft and how to protect against it

What is medical identity theft and how to protect against it

July 27, 2022

2 min read
Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

Curious about Omegle? Here’s how the roulette-style chat platform can threaten your online privacy and security

July 07, 2022

5 min read
Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

Identifying and Dealing with Online Bullying Is Not Impossible - School Presentation Inside

June 28, 2022

2 min read
Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

Let’s Celebrate World Social Media Day by Improving Your Privacy and Security Online

June 28, 2022

3 min read
Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

Bitdefender Reveals the Top Cyber Threats Faced by Consumers in 2021

June 22, 2022

1 min read
Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

Scam alert: Cybercrooks use shady investment domain to scam keen investors out of money and data

May 24, 2022

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Chinese criminals scam kids desperate to play games for more than three hours a week Chinese criminals scam kids desperate to play games for more than three hours a week
Graham CLULEY

August 12, 2022

2 min read
Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach Sophisticated Smishing Attack on Twilio Leads to Employee Credential Leak and Data Breach
Silviu STAHIE

August 09, 2022

1 min read
Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down Attackers Hit German Chambers of Industry and Commerce; All Digital Services Down
Silviu STAHIE

August 05, 2022

1 min read