For the last eight years a critical vulnerability has lurked within the code of the Joomla CMS which could have allowed malicious hackers to steal every user’s login credentials – including those belonging to administrators.
A CMS is the content management system – a piece of software which manages all of the content on your website, ensuring that visitors get to see the webpage and images that they’re expecting to see. As such, for many companies, a CMS is an essential part of how they deliver content to customers.
For that reason, it’s really important that you keep your website’s CMS patched against the latest discovered vulnerabilities.
A previously unknown injection vulnerability exists in Joomla’s LDAP (Lightweight Directory Access Protocol) authentication code. Because affected versions of the software does not properly sanitise user input, the vulnerability can be exploited through a website’s CMS login page, as the researchers explain:
The lack of input sanitization of the username credential used in the LDAP query allows an adversary to modify the result set of the LDAP search. By using wildcard characters and by observing different authentication error messages, the attacker can literally search for login credentials progressively by sending a row of payloads that guess the credentials character by character.
A successful attack can lead to hackers stealing administrator login credentials, and gaining complete control over a website.
Joomla is one of the world’s most popular content management systems, and is used by millions of websites. As a result, any vulnerability that could lead to administrator passwords being leaked should be considered extremely alarming. What makes the discovery even more shocking, however, is that it has been possible for hackers to exploit the flaw since Joomla version 1.5, released eight years ago.
Joomla is open source software, and is regularly reviewed for vulnerabilities for security holes – and yet no-one found this critical flaw until now. The idea of open source software, being available for anyone to review and check for vulnerabilities, is a great one. But just because anyone can hunt for security holes in 500,000 lines of code doesn’t mean that every bug will be found – or that critical vulnerabilities that could lead to your entire website being compromised will be uncovered in a timely fashion.
Thankfully, in this case, Joomla confirmed and then fixed the vulnerability in a timely fashion after researchers told them about it. You can do your bit to reduce the risk of your site being compromised by updating to the latest version of your CMS, and ensuring that you keep a close eye in the future on emerging security issues.
It’s just a shame that it took eight years for this Joomla security hole to be discovered, and that we’ll never know if malicious hackers exploited it in the meantime.