Immediate update to Joomla 3.4.5 necessary
If you haven't updated your Joomla 3 to the last security patch 3.4.5 your site is at big risk due to an SQL injection vulnerability that allows the exploiter to acquire full administrative access to your Joomla website.
The 15th of October, the Joomla Production Leadership (PLT) team was notified of the security issue by the internet security company SpiderLabs. The PLT started to work immediately on a fix and on the 16th announced a security patch by PLT member Jessica Dunbar
The official Joomla announcement said:
A Joomla 3.4.5 release containing a security fix will be published on Thursday 22nd October at approximately 14:00 UTC The Joomla Security Strike Team (JSST) has been informed of a critical security issue in the Joomla core.Since this is a very important security fix, please be prepared to update your Joomla installations next Thursday. Until the release is out, please understand that we cannot provide any further information.
The days before the release there was a big community effort to communicate the importance of this fix. The content of the package was kept secret to avoid as many hacks as possible. Finally, the patch fixing the three vulnerabilities detected was released yesterday, the 22th of October. The issues fixed according to the Joomla release announcement were:
Security Issues Fixedby Author
High Priority - Core - SQL Injection (affecting Joomla 3.2 through 3.4.4) More information
Medium Priority - Core - ACL Violations (affecting Joomla 3.2 through 3.4.4) More information
Medium Priority - Core - ACL Violations (affecting Joomla 3.0 through 3.4.4) More information
Unfortunately, the company that found the exploit, unveiled the full exploit just an hour after the patch release to the big surprise of PLT and community members.
Highly disappointed with @SpiderLabs . Responsible disclosure is not tweeting a full exploitation strategy just over an hour after release— George Wilson (@GW1992) October 22, 2015
I feel bad for the 1000s of Joomla! site owners living > GMT+3 who WILL get hacked because @SpiderLabs made full disclosure TOO EARLY.— Nic Dionysopoulos (@joovlaki) October 22, 2015
As soon as SpiderLabs published the exploit, community members and companies started to detect attacks:
Just saw the first attack attempt on joomla.de in the logs. Folks, really, you have to update NOW! https://t.co/JuXzN7igQw— David Jardin (@SniperSister) October 22, 2015
We are already seeing exploits in the wild against the new Joomla SQLi vulnerability: https://t.co/7sWUrFjlgA— Daniel Cid (@danielcid) October 22, 2015
Security company Sucuri recommends
[...] looking at your web logs to try to find signs of this attack. If you search for "option=com_contenthistory&view=history" you should be able to find possible attacks against your site. Note that blocking this requests only via GET requests are not enough, since they can also happen via POST. Joomla uses the PHP $_REQUEST, so both POST and GET's will go through.by Author