Qualys Blog

www.qualys.com
Jerome Clauzade

Protect Against the Joomla SQL Injection Vulnerability

Joomla logoA few days ago, SpiderLabs researcher Osaf Orpani disclosed an important vulnerability targeting Joomla, one of the most popular Content Management Systems (CMS). By exploiting this vulnerability, researchers were able to remotely gain full administrative access to the CMS.

Joomla versions 3.2 to 3.4.4 are affected by this major security issue. Since the vulnerability targets the core of the CMS, all websites based on Joomla are vulnerable, whatever the modules used.

Vulnerabilities discovered by Orpani are:

  • CVE-2015-7297
  • CVE-2015-7857
  • CVE-2015-7858

Like WordPress did when its market-leading CMS was exposed to multiple vulnerabilities, Joomla has reacted by publishing a quick Security Fix version 3.4.5, which we encourage you to apply immediately.

What that story doesn’t tell is whether Orpani was the first to discover that vulnerability or if it was exploited before. With 9 percent share of the CMS market, Joomla powers around 2.8 million web applications and websites, meaning a lot of websites would be vulnerable if a malicious hacker has already discovered this vulnerability.

The Role of Qualys WAF

Qualys Web Application Firewall (WAF) users are already protected since this exploit is based on generic SQL injection that WAF already has the ability to recognize and block. This is true not only for this vulnerability, but for many others as well. That’s because a large number of web exploits are based on well-known attack vectors such as SQL Injection, Cross Site Scripting, etc. for which Qualys WAF automatically provides protection.

As a best practice, we always encourage you to actively protect your web applications from this kind of attack by applying the relevant patch, in this case from Joomla. In all cases, the CMS and more generally all web applications have to be updated to benefit from the latest security fixes.

Qualys Web Application Firewall then not only protects your applications from attacks executed via known exploits including undisclosed ones. It also buys you and your security operations team time to upgrade and patch your applications.

Leave a Reply