Serious Joomla Vulnerability found but we’ve got you Covered!
It is mid-summer now but security issues take no vacation. Actually they find the most inappropriate time to appear and make our lives more interesting, to say the least. On Thursday, 25 July the Joomla! Project announced the availability of Joomla 3.1.4/2.5.13 and many users upgraded their websites because the new releases provide tons of useful new features and bug fixes. One will think: job well done, it is time to hit the beach! But… On Thursday, 01 August, the Joomla! Project surprisingly announced the immediate availability of Joomla! 3.1.5/2.5.14. Apparently not much time to sip exotic summer cocktails was allowed. The reason for this extremely short period between the two versions was that a critical level security issue was discovered just after the previous release and it had the potential to affect all Joomla! CMS versions. Yes, that’s correct – we are talking about all the Joomla! sites out there. All versions are affected – 1.5, 1.6, 1.7, 2.5 and 3. Sounds scary, right? Not if you’re hosted on SiteGround servers!
Vulnerability Explained
The vulnerability allows Joomla websites to be hacked through the Media Manager. To exploit the vulnerability the attacker should find a Joomla site that allows access to the media manager to its registered users. Then s/he will register an account and use the vulnerability to upload a malicious shell script to this site through the Media Manager. After that the attacker can do pretty much anything – edit your files, access your database, delete information, etc.
How did we resolve the issue for all of our clients?
Step 1: We applied a server level solution
As soon as the vulnerability was announced our security team started to develop a server level patch. This is our standard practice when there is an issue that can affect a large number of installations. The idea is to create a layer of protection to all Joomla websites hosted by SiteGround regardless of their current version. We analyzed carefully the vulnerability, the exploit and the payload and came up with ingenious solution that blocks the upload of malicious files through the Media Manager on a server level.
Step 2: Upgrading Joomla 2.5 and 3
Our Joomla! Auto Update system upgraded the 2.5.x/3.x applications on our servers to the new versions 2.5.14 and 3.1.5. These were released very timely by the Joomla organization and are no longer vulnerable. Once again the Auto Update system we have developed secured our customers’ websites without any effort on their side.
Step 3: Patching Joomla 1.5
As Joomla 1.5 is no longer officially supported, there was no upgrade available for it. However, the Joomla team has released a security patch that should be applied manually and we went the extra mile and patched all the old Joomla versions hosted on our servers manually ourselves.
What to do if you’re not hosted by SiteGround?
The official solution for Joomla! 2.5.x and 3.x sites is to upgrade your application to the latest stable releases – 2.5.14 and 3.1.5. Joomla! 1.5.x users should download this Joomla patch, extract the .zip file and manually upload the enclosed files into place.
All in all, if you’re a SiteGround customer you can sit back and enjoy your summer vacation, we got you covered! Otherwise, you will have to put down your cocktail and patch your Joomla! site before it is too late. Of course, you can always transfer to us.
