Industry News

Millions of websites at risk, as Joomla high level security flaw discovered. Update now

joomla-featured

If you’re running a website of any size there is a good chance that you are using a content management system (CMS).

A CMS is the piece of software which manages all of the content on your website, ensuring that visitors get to see the webpage and images that they’re expecting to see. As such, for many websites, a CMS is an essential part of they manage to deliver content to their website’s visitors.

The CMS with the largest marketshare by far (over 50%) is WordPress – the platform which Hot for Security is running on – but next in line are Joomla and Drupal.

Although in second place, the free, open-source Joomla CMS software still powers millions of websites around the world.

Indeed, the tagline the software uses to promote itself is “Joomla! The CMS Trusted By Millions for their Websites.”

joomla-search-engine

As a result of its popularity, it’s essential that website administrators keep Joomla updated and patched to help prevent hackers from exploiting security holes.

Version 3.6.5 of Joomla has just been released, addressing security issues and fixing some bugs.

The most important issue that Joomla 3.6.5 addresses is an elevated privileges flaw in all versions of Joomla from 1.6.0 – 3.6.4, which could allow a malicious attacker to modify existing user account, including resetting usernames, user group assignments and (gulp!) passwords.

The implication is that an attacker could even create a brand new account on the site they are targeting, and then escalate its privileges to give it ‘god-like’ abilities on the site, and upload a remote shell to further compromise the server.

With a vulnerability as bad as that, it’s easy to understand why Joomla is telling users to update their websites as soon as possible.

In fact, the chances are that malicious attackers are already searching the net looking for vulnerable sites.

joomla-3-6-5

The worry is, of course, that some websites may never be updated – making easy picking for malicious attackers.

If you run a website powered by Joomla, please take security seriously. Reduce the risk of your site being compromised by updating to the latest version of your CMS, and ensuring that you keep a close eye in the future on emerging security issues.

About the author

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

2 Comments

Click here to post a comment

Your email address will not be published. Required fields are marked *