Trustwave SpiderLabs researcher Asaf Orpani has discovered an SQL injection vulnerability in versions 3.2 through 3.4.4 of Joomla, a popular open-source Content Management System (CMS). Combining that vulnerability with other security weaknesses, our Trustwave SpiderLabs researchers are able to gain full administrative access to any vulnerable Joomla site.
Joomla had a 6.6 percent share of the market for website CMSs as of October 20, 2015 according to W3Techs—second only to WordPress. Internet services company BuiltWith estimates that as many as 2.8 million websites worldwide use Joomla.
Ciptor recommends that you upgrade immediately to Joomla 3.4.5. Please note that this vulnerability is only exploitable while an administrator is logged into the site. If you must delay your upgrade, log out of any administrator accounts not in use. In addition, if you must log in as administrator, do so for only short periods of time.
The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4.
Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.
Trustwave WAF's "Blind SQL Injection" rule detects this attack provided the rule is enabled. A dedicated, fine-tuned rule will be issued in an upcoming signature update (CorSigs 4.39).
If it's enabled, ModSecurity Commercial Rule Set rule 95007 blocks attempts to exploit this vulnerability. For Commercial Rule Set customers, a virtual patch will also be issued soon.