Joomla Receives Patches for Zero-Day SQL Injection Vulnerability, Other Flaws IDG News Service (03/10/14) Constantin, Lucien The Joomla Project content management system (CMS) has released security updates to patch a number of security flaws, including an SQL injection vulnerability that was disclosed in early February. The update also patches an unauthorized log-in flaw in the Gmail-based authentication plug-in. No further details on the SQL vulnerability were disclosed, although the severity of the problem is rated as high and apparently stems from inadequate escaping. Security researchers from Sucuri, however, say the patch is connected to a zero-day exploit published on Feb. 6. “I actually had one of our developers investigate [the patched vulnerability] for us and the flaw is the same one that was publicly released a month ago on exploit-db [an exploit listing Web site],” said Sucuri CTO Daniel Cid. “What really shocked us is that Joomla took almost a month to release a patch for it.” Cid added that while the exploit has not been seen in the wild, Sucuri did see some queries starting to look for the mod_tags_similar module, so the next step [for attackers] is to try to attempt to compromise sites using it. Cid also commented on the security flaw in the Gmail-based authentication plug-in, explaining that a user who enables the feature could allow a hacker to bypass his authentication by registering a Gmail address with the same name.
Posted on: Wed, 12 Mar 2014 04:15:04 +0000
Trending Topics
Recently Viewed Topics
© 2015