Last week, Trustwave SpiderLabs discovered a SQL injection vulnerability exploit in widely popular web content management software (CMS) Joomla that allowed for access to administrative areas. Shortly thereafter, Open Source Matters, Inc., developers of Joomla, released version 3.4.5 to address this issue. Administrators are urged to upgrade immediately to seal up the vulnerability. The exploit affects Joomla versions 3.2.0 through 3.4.4.

By using a specially crafted attack against a vulnerable Joomla server an attacker can gain administrative access.

According to W3Techs, Joomla currently represents 6.6 percent of the CMS market, which is estimated to be over 2.8 million websites—second only in popularity to blogging software WordPress. This makes the software a broad target for hackers and automated malicious software.

A SQL injection exploit works by submitting specially crafted malicious data to a website form or URL in an attempt to gain access to the database software. Poor sanitization of inputs from users can allow a clever attacker to execute commands on the server—from there the attacker can cause the application to reveal passwords (leading to password leaks), allow editing of code (permitting malicious code injection), or provide that attacker access to the system itself.

DB Networks, developer of continuous monitoring software for networks, noted that in 2014 SQL injection vulnerabilities saw an uptick after seeing a steady decline since 2011. Last year saw more vulnerabilities identified last year than in 2011 and an over 104 percent increase over 2013.

“These types of attacks have been around for close to two decades and it ranks as one of the top threats to organizations,” says SiliconANGLE Security Analyst John Casaretto. ”One of the problems is that it’s easily executed through a web application. Attacks can steal data and some cases, it can inject code. Some of the largest data breaches can be tracked to SQL injection, which tells you all you need to know about the scale and seriousness.”

SQL injection is a common method of entry for hackers. In 2012, SQL injections began identified as one of the most popular methods for hackers seeking to deface websites—gaining ground on cross-site scripting and directory traversal, which had reached prominence—as hackers began to aim more for credit cards and financial information and less to deface websites. Not all hackers are as “playful” as LulzSec, a hacker group who used SQL injection to leak information from PlayStation Network in 2011.

Casaretto also warns: “The fact that it has turned up in a such a widely-used platform on the web is a major concern. We can expect a swarm of breaches if people don’t start patching now.”

In 2014, hackers believed to originate in Russia, used around SQL attacks to amass 1.2 billion user credentials to perpetrate what was called the “largest breach ever” at the time.

How the Joomla SQL injection exploit works

According to researchers at Trustwave SpiderLabs, the Joomla exploit works by passing along a SQL command via an HTTP request that calls for the administrator session ID to be returned. The administrative session ID appears amid error code displayed to the user by Joomla.

The administrative session ID can then be used to access the /administrator/ folder by placing that session ID into a cookie that is used to tell Joomla who is logged in—in this case the cookie tells Joomla that an administrator is logged in. At this point the attacker has administrative access to the Joomla application.

The sordid technical details of the entire exploit (and the underlying issues in code) can be viewed in the full SpiderLabs report.

Clients running Joomla can avoid this exploit entirely by upgrading to Joomla 3.4.5 or later today.

Featured image credit: Photo by Skley