The Joomla CMS project released today Joomla 3.7.1 to fix an SQL injection flaw that allows attackers to execute custom SQL code on affected systems and take over vulnerable sites.
Sucuri analyst Marc-Alexandre Montpas discovered this flaw while performing regular audits of popular CMS projects to improve the Sucuri Web Application Firewall.
The bug is found in a new com_field component that was added to the Joomla frontend code in version 3.7.0. According to Montpas, this component uses parts of the code from an eponymous com_field component used for the Joomla backend.
The component lists data based on various URL parameters. As you'd guessed by now, Joomla doesn't sanitize some of these parameters.
This wouldn't be a big issue if the component was used only in the backend, as an attacker would first need to get access to the admin panel in order to exploit this flaw.
Because the component is now available on the Joomla public-facing site, an attacker only needs to craft malicious URLs, insert his own SQL operations, and access the URL.
This type of exploit is remotely exploitable and extremely easy to automate. Attackers can scan the Internet for Joomla sites running version 3.7.0, access a pre-defined URL, and load and execute their code.
An exploit like this could be used in Internet wide-mass defacements, installing backdoors, or inserting ads and hidden redirects.
More details are available in an article Montpas published on the Sucuri blog. For the time being, there is no proof-of-concept exploitation code available, but we expect to see the first examples pop up online in a few hours. [UPDATE: Here it is!]
In October 2016, days after the Joomla Project released version 3.6.4 that fixed an issue that allowed the creation of rogue admin accounts, attackers were already scanning the web for vulnerable websites.
At the time, Sucuri Founder and CTO Daniel Cid said that after less than a week, "any Joomla! site that has not been updated is most likely already compromised."
This SQL injection flaw (CVE-2017-8917) is as dangerous as the October 2016 vulnerability (CVE-2016-9838), albeit more limited in scope, as it only affects version 3.7.0. Cid's statement is still valid, as SQL injection vulnerabilities provide attackers with a method to reach deep inside of a website's core.
The Joomla Project knew of the bug's importance and severity, and that's why it tried to raise awareness to this issue last week when it published a security alert about the important security update it released today. If you have a Joomla site, do yourself a favor and patch it now, before it's taken over by some blackhat SEO spammer.
Image credit: Open Source Matters, Inc.