Zero-Day Issued for Old CMS – Online Proof-of-Concept Code Available
Reports of a flaw in older versions of the Joomla content management system (CMS), a common web-based software for the creation and management of websites, was posted online last week.
The bug has been discovered by Hacktive Security Italian security researcher Alessandro Groppo. It affects all versions of Joomla released from late September 2012 to mid-December 2015 from 3.0.0 to 3.4.6.
The vulnerability is easy to exploit and the code of attack proof of concept was published online.
It is a PHP object injection that, within certain situations, can lead to remote code execution (RCE). For example, it can be used through the Joomla CMS login form which allows attackers to execute code on the underlying database of the web.
Like an older Joomla zero-day in 2015
Groppo said CVE-2015-8562, an additional PHP object injection that could lead to remote code execution even if not linked, is similar to that vulnerability.
CVE-2015-8562 is a common exploit of Joomla, which has been exploited until today. In December 2015, when the vulnerability was found, hackers used it in the wild to take over pages.
The distinction between Groppo’s finding and the vulnerability for 2015 is that the latter affects only Joomla 3.x versions of a smaller number of Joomla pages, whereas CVE-2015-8562 affected all currently available JOOMLE versions-1.5.x, 2.x, and 3.x.
Furthermore, although it affects a limited number of sites, the vulnerability of Groppo has a broader impact because it is “completely separate from the[server] environment,” compared to the older update that only operated against PHP version servers before 5.4.45, 5.5.29 and 5.6.13.
The good news is that the issue at the root of Groppo’s zero-day launch seems to have been addressed since CVE-2015-8562 has been patched.
Most website owners run obsolete CMS versions due to module or subject incompatibilities that can destroy the site; however, they don’t have to patch the last release in order to be safeguarded–although this would be a much better solution.
Every edition of Joomla 3.4.7 and later is patched to prevent attacks. The current version of Joomla is 3.9.12.
Groppo’s zero-day has no CVE detection whatsoever. Below is a video of the zero-day in motion. There is a technical explanation on Groppo’s website, while the proof of concept software was posted last week on Exploit-DB.