The open-source content management framework Joomla pushed out version 3.2.3 of its product last week, fixing a SQL injection zero-day vulnerability that could have let attackers steal information from databases or insert code into sites running the CMS.
While little is being disclosed by Joomla, according to a security notice on its site the problem carried a high severity rating and affected versions 3.1.0 through 3.2.2 of the CMS before being patched on Thursday.
According to researchers at security firm Sucuri the SQL injection vulnerability may be linked to an exploit discovered last month involving weblinks-categories id. The exploit appears to have “not escaped properly,” according to Sucuri’s CTO Daniel Cid. Cid goes on to reference the exploit-db.com description, writing that the vulnerability “seems very easy to exploit.”
Another write-up of the vulnerability, over at scip VulDB, claims the problem is not only easy to exploit but also that it can be launched remotely and without authentication.
“Affected by this issue is an unknown function of the file /index.php/weblinks-categories. The manipulation of the argument id with the input value 0%20%29%20union%20select%20password%20from%20%60k59cv_users%60%20–%20%29 leads to a sql injection vulnerability. Impacted is confidentiality, integrity, and availability,” reads part of the vulnerability summary.
On the release announcement for version 3.2.3 Joomla’s Production Leadership Team writes that its goal is to provide “regular, frequent updates,” to Joomla.
The fact that it took over a month to fix surprised Cid however.
“What really shocked us is that Joomla took almost a month to release a patch for it.” Cid told PCWorld yesterday.
The Joomla update, which developers are encouraging users apply immediately, also addresses two medium severity core XSS vulnerabilities that also stem from “inadequate escaping” along with a problem with inadequate checking in that allowed unauthorized logins via Joomla’s Gmail login module.
Joomla was last forced to patch a zero day last August after attackers were spotted abusing sites running Joomla or WordPress, taking them over and redirecting users to the Blackhole Exploit Kit.
At the time it discovered the vulnerability, security firm Versafe reported that 57 percent of the attacks it had seen that year came from sites hosted on Joomla’s CMS.