Operators of websites running on the popular Joomla CMS have been alerted to a remote takeover risk following the discovery of a critical Joomla vulnerability. Approximately 2.8 million websites use the Joomla Content Management System, with the CMS second only to WordPress in terms of market share.

Joomla version 3.4.5 has now been released and contains a patch to plug the security hole that has existed for close to two years, although any site still running on previous versions will be particularly vulnerable to attack. Should a hacker successfully exploit the vulnerability, it would be able to obtain administrator privileges for the website, allowing full control to be handed over to the hacker. It would be possible for all data and content to be stolen and for the owner of the website and all other site users to be locked out.

The vulnerability, discovered by Trustwave SpiderLabs, affects version 3.2 and above and can be exploited using a hacking technique known as SQL injection. All users of versions 3.2 to 3.4.4 are at risk since this critical Joomla vulnerability affects as core module of the CMS, not an extension. Two other security flaws were also patched by the new release.

SQL injection is a common technique used by hackers to gain access to websites. The attacks are conducted by entering in SQL commands into text fields on the front end of website. These commands are misinterpreted by the web application. Instead of treating the input as plaintext, it is interpreted as executable code. As such, if the right commands are entered, the websites can be hijacked. Numerous cyberattacks have been successfully conducted using this very straightforward technique, including the recent hack of mobile and broadband provider TalkTalk.

Critical Joomla vulnerability can be used to gain access to the administrator control panel

Once access has been gained, files can be downloaded including confidential customer information. Since Joomla is used to create e-commerce websites, customers who have previously purchased products through Joomla websites could have their confidential information stolen.

This critical vulnerability can be exploited to extract a browser cookie which can be used to provide the attacker with administrator privileges. If that cookie is loaded into the browser, the hacker can gain access to the back end of the website and can access the administrator control panel. The code required to exploit the vulnerability has already been posted online.

It is therefore imperative that all administrators of Joomla sites update their website software immediately and patch the critical Joomla vulnerability in order to secure their sites.

The importance of updating software patches as soon as they are released

Zero-day vulnerabilities are frequently discovered in popular website applications and content management systems. A failure to install patches promptly leaves websites particularly vulnerable to attack. Code used to exploit the vulnerabilities can easily be found online, and is commonly shared by hackers, white hat and black hat – via online hacking and software development communities. Once an announcement has been made, there will be many amateur and professional hackers willing to exploit the vulnerability. Should that happen, data can be deleted, access rights changed, and customer data stolen.