Industry News

For eight years, hackers have been able to exploit this password-stealing flaw in Joomla

For the last eight years a critical vulnerability has lurked within the code of the Joomla CMS which could have allowed malicious hackers to steal every user’s login credentials – including those belonging to administrators.

A CMS is the content management system – a piece of software which manages all of the content on your website, ensuring that visitors get to see the webpage and images that they’re expecting to see. As such, for many companies, a CMS is an essential part of how they deliver content to customers.

For that reason, it’s really important that you keep your website’s CMS patched against the latest discovered vulnerabilities.

The serious security hole, which was patched in version 3.8 of Joomla released last week, was disclosed by researchers at German security firm RIPS Tech.

A previously unknown injection vulnerability exists in Joomla’s LDAP (Lightweight Directory Access Protocol) authentication code. Because affected versions of the software does not properly sanitise user input, the vulnerability can be exploited through a website’s CMS login page, as the researchers explain:

The lack of input sanitization of the username credential used in the LDAP query allows an adversary to modify the result set of the LDAP search. By using wildcard characters and by observing different authentication error messages, the attacker can literally search for login credentials progressively by sending a row of payloads that guess the credentials character by character.

A successful attack can lead to hackers stealing administrator login credentials, and gaining complete control over a website.

Joomla is one of the world’s most popular content management systems, and is used by millions of websites. As a result, any vulnerability that could lead to administrator passwords being leaked should be considered extremely alarming. What makes the discovery even more shocking, however, is that it has been possible for hackers to exploit the flaw since Joomla version 1.5, released eight years ago.

Joomla is open source software, and is regularly reviewed for vulnerabilities for security holes – and yet no-one found this critical flaw until now. The idea of open source software, being available for anyone to review and check for vulnerabilities, is a great one. But just because anyone can hunt for security holes in 500,000 lines of code doesn’t mean that every bug will be found – or that critical vulnerabilities that could lead to your entire website being compromised will be uncovered in a timely fashion.

Thankfully, in this case, Joomla confirmed and then fixed the vulnerability in a timely fashion after researchers told them about it. You can do your bit to reduce the risk of your site being compromised by updating to the latest version of your CMS, and ensuring that you keep a close eye in the future on emerging security issues.

It’s just a shame that it took eight years for this Joomla security hole to be discovered, and that we’ll never know if malicious hackers exploited it in the meantime.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment