Categories: Security

How to Fix Joomla 3.2 to 3.4.4 Core – SQL Injection vulnerability

 

If you are a Joomla user, just UPGRADE it to the latest version, here or download new installation package here.

Joomla officials have announced a new release Joomla! 3.4.5 is now available. Joomla core packages 3.2 to 3.4.4 are vulnerable to a critical vulnerability – SQL injection. The newly released Joomla version fixes the SQL injection vulnerability.

The vulnerability doesn’t require any extensions for exploitation as it is directly spotted in the core package of the Joomla. This is a most critical bug which allows unauthenticated and remote exploitation. The SQL injection vulnerable file is located at /administrator/components/com_contenthistory/models/history.php (option=com_contenthistory&view=history). The vulnerable code resides into the getListQuery() protected function.

We recommend to all users to update to latest version and harden the Joomla setup / Joomla installed on your server. If you are a hosting provider and installed Softaculous, from the cPanel you can directly upgrade Joomla installation.

Recommended Steps

  1. Change the default administrator username
  2. Protect directories and files – Project administrator directory with .htaccess protection. For details on protection implementation click here
  3. Disable Unneeded Functions & Classes e.g. : eval(),  system(), show_source, system, shell_exec, passthru,  exec,  phpinfo,  proc_open,  popen,  eval, and highlight_file
  4. Turn off display_errors from PHP.ini
  5. Limit Administrator Panel Access by allowing only trusted set of IP addresses
  6. Configure open_basedir from PHP.ini
  7. Disable file upload, if reqruied. Webmaster can uploads the files using FTP.
  8. Disable Remote Includes from PHP.ini

Technical Information

Trustwave team discovered this vulnerability and has already released detailed documentations, it is strongly recommended to read it.


Vishwajit Kale
Vishwajit Kale blazed onto the digital marketing scene back in 2015 and is the digital marketing strategist of Hostripples, a company that aims to provide affordable web hosting solutions. Vishwajit is experienced in digital and content marketing along with SEO. He's fond of writing technology blogs, traveling and reading.

Recent Posts

Make in India, Make for the World: How Hostripples Empowers Modi’s Vision

Introduction Prime Minister Narendra Modi’s clarion call — “Make in India, Make for the World” — is not just a…

5 hours ago

AI – Powered Customer Support in Hosting: Chatbots & Virtual Assistants

Customer support has always been the backbone of the web hosting industry. From helping users set up domains to troubleshooting…

2 weeks ago

ChatGPT: Your Ultimate AI Content Generation Tool

Content is the most vital asset for businesses navigating the digital era. But creating high-quality, engaging content consistently can be…

4 weeks ago

Discover Ollama: How It Works, Features & Everything?

Welcome to the exciting world of Ollama, a revolutionary open-source tool that's democratizing access to Large Language Models (LLMs). If…

1 month ago

Connecting to Amazon EC2 via WinSCP (SFTP): A Complete Guide

Managing files on your Amazon EC2 instances can often feel like navigating a complex maze, especially when you prefer a…

2 months ago