The Hacker News Logo
Subscribe to Newsletter

Latest Joomla 3.7.1 Release Patches Critical SQL Injection Attack

joomla-sql-injection-patch-security-update
If your website is based on the popular Joomla content management system, make sure you have updated your platform to the latest version released today.

Joomla, the world's second popular open source Content Management System, has reportedly patched a critical vulnerability in its software’s core component.

Website administrators are strongly advised to immediately install latest Joomla version 3.7.1, released today, to patch a critical SQL Injection vulnerability (CVE-2017-8917) that affects only Joomla version 3.7.0.

Inadequate filtering of request data leads to a SQL Injection vulnerability.” release note says.

The SQL Injection vulnerability in Joomla 3.7.0 was responsibly reported by Marc-Alexandre Montpas, a security researcher at Sucuri last week to the company.
joomla-sql-injection-attack

According to the researcher, 'The vulnerability is easy to exploit and doesn’t require a privileged account on the victim’s site,' which could allow remote hackers to steal sensitive information from the database and gain unauthorized access to websites.

The SQL Injection vulnerability originates from a com_fields parameter, which was introduced in version 3.7.
/index.php?option=com_fields&view=fields&layout=modal
"So in order to exploit this vulnerability, all an attacker has to do is add the proper parameters to the URL in order to inject nested SQL queries." the researcher says.

Joomla 3.7.0 Proof-of-Concept Exploit:

http://target-joomla-website.com/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(0x3e,user()),0)
Since hackers would not take much time to exploit this vulnerability against millions of websites, you are advised to download the latest version of Joomla for your website and inform others about the release of critical patch update as well.

Have something to say about this article? Comment below or share it with us on Facebook, Twitter or our LinkedIn Group.
SHARE
Comments
Latest Stories
Best Deals

Newsletter — Subscribe for Free

Join over 500,000 information security professionals — Get the best of our cyber security coverage delivered to your inbox every morning.