Joomla update fixes high risk bug that could lead to site compromise
The developer team behind the popular open-source content management system Joomla is urging users to update the software to the latest version – v3.3.6 (or v3.2.7 for those who still use Joomla 3.2) – as soon a possible.
The reason for the urgency is that this update resolves two security issues, one of which is considered high priority, as it could allow attackers to compromise the user’s website and extract data.
The vulnerability was discovered and reported by Johannes Dahse of Horst G?¶rtz Institute for IT-Security (HGI), Ruhr-University Bochum, Germany, and affects Joomla 2.5, 3.0, 3.1, 3.2, 3.3 up to and including 3.3.4.
It also affects several backup software created by Akeeba, because all of them use Akeeba Restore (restore.php) to extract backup archives and update packages of the ZIP, JPA and JPS format.
“In order to protect from abuse by third parties the restore.php file won’t work until the software it’s used with generated a file called restoration.php. That file contains a cryptographic key which is used to authenticate the commands sent to restore.php,” the Akeeba team explained.
The bug in restore.php appears and can be exploited only when restoration.php is present, they note, and that’s why attackers can only exploit it while a backup or update archive is being extracted on the user’s site.
Several other conditions (more details here) have to be simultaneously met to perform the attack successfully, so the likelihood of an attack is not high. “However, this security issue can be used for targeted attacks against valuable targets,” they pointed out.
Joomla users and those using one of Akeeba’s backup and update software (also those for WordPress) would do well to update quickly. The Joomla update also includes a fix for a DoS vulnerability (also discovered and reported by Johannes Dahse).