This alert was sent to U-M IT staff groups on October 27, 2015.
This message is intended for U-M IT staff who are responsible for university websites that use the Joomla content management system.
The Joomla team has released a new Joomla version (3.4.5) to fix several serious security vulnerabilities. The most critical one allows a remote unauthenticated attacker to take full control of a vulnerable website. Attackers are actively exploiting this vulnerability, and attacks are being detected at U-M. If you are responsible for an installation of Joomla, update it immediately.
Websites using the Joomla content management system versions 3.2 through 3.4.4.
Update to Joomla version 3.4.5 immediately. You can download the update from the Joomla website. See Joomla! 3.4.5 Released.
The Joomla team recommends looking at web server logs to try to find signs of this attack. A search for “option=com_contenthistory&view=history” in web server log files should help you detect possible attacks. Note that blocking these requests only via GET requests will not completely prevent attacks, because attacks can also happen via POST.
If you are running a vulnerable version of Joomla and see signs of this attack or suspect that your web site has been compromised, please contact email@example.com.
Exploitation of the SQL injection vulnerability in the com_contenthistory module, which is included by default, allows an attacker to take full control of vulnerable websites. Exploitation can be performed remotely without authentication. Attackers are actively exploiting this vulnerability, and attacks are being detected at U-M.
This vulnerability was discovered by the TrustWave team, and they have published a document explaining it in detail: Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access.
People browsing the web do not need to do anything out of the ordinary because of the Joomla vulnerability. In general, the best protection for your devices is this: keep your software and apps up-to-date, do not click suspicious links in email, do not open email attachments unless you are expecting them and trust the person who sent them, and only use secure, trusted networks. For more information, see Spam, Phishing, and Suspicious Email, Instructions for Securing Your Devices and Data, and Use a Secure Internet Connection on the U-M Safe Computing website.
Please contact firstname.lastname@example.org.
- Joomla! 3.4.5 Released (Joomla website, 10/22/15))
- Joomla SQL Injection Attacks in the Wild (Sucuri Blog, 10/26/15)
- Joomla SQL Injection Vulnerability Exploit Results in Full Administrative Access (Trustwave, SpiderLabs Blog, 10/22/15)