Users of the Joomla content management system have been on a patching roller coaster the past 24 hours with one set of patches for critical vulnerabilities being pulled last night before being re-issued today.
The Joomla update, bringing the CMS up to version 3.3.6, is a security update addressing a high priority remote file inclusion vulnerability and a denial-of-service vulnerability of lesser severity, Joomla said.
The latest update was released at noon ET today, less than a day after a previous update was pulled back.
The company notified users that “a small technical issue” would require another release.
“It is not recommended to install or update to 3.3.5. and 2.5.26,” the company said in its advisory. Any users who had already updated would need to apply today’s version using the tool’s Extension Manager, Joomla said.
The remote file inclusion vulnerability is caused by inadequate checking which could allow for remote files to be executed, the company said. Versions 2.5.4 through 2.5.25 and earlier 3.x versions are affected, including 3.3.0 through 3.3.4.
While the remote file inclusion vulnerability puts hosted data at risk, it is only vulnerable to exploit under certain conditions, according to a security advisory from Akeeba Backup, which provides a backup extension for content management systems including Joomla and WordPress.
“It is possible for a remote attacker to extract a remotely hosted archive while you are extracting a backup archive / installing an update, depending on your server settings,” Akeeba Backup said in its advisory. “The attack is not possible at any other time.”
“Due to the special conditions required merely having the affected software installed does not make your site vulnerable,” the advisory said. “However, this security issue can be used for targeted attacks against valuable targets. It’s worth noting that this kind of attack does leave a remarkable audit trail in the server log files.”
The denial-of-service vulnerability isn’t as critical, Joomla said, adding that versions versions 2.5.4 through 2.5.25, 3.2.5 and earlier 3.x versions, 3.3.0 through 3.3.4 are affected.
Akeeba, in August, patched a vulnerability in its extension that could have allowed for remote downloads of site backups, passwords and other data, but again, certain conditions had to be in place for the attack to work.
The vulnerability was only present on Joomla websites that run Akeeba in “enable front-end and remote backup” mode and stems from a problem in the way a JSON API in the extension handled user authentication when an encrypted request was received.