Categories: Security

How to Fix Joomla 3.2 to 3.4.4 Core – SQL Injection vulnerability

 

If you are a Joomla user, just UPGRADE it to the latest version, here or download new installation package here.

Joomla officials have announced a new release Joomla! 3.4.5 is now available. Joomla core packages 3.2 to 3.4.4 are vulnerable to a critical vulnerability – SQL injection. The newly released Joomla version fixes the SQL injection vulnerability.

The vulnerability doesn’t require any extensions for exploitation as it is directly spotted in the core package of the Joomla. This is a most critical bug which allows unauthenticated and remote exploitation. The SQL injection vulnerable file is located at /administrator/components/com_contenthistory/models/history.php (option=com_contenthistory&view=history). The vulnerable code resides into the getListQuery() protected function.

We recommend to all users to update to latest version and harden the Joomla setup / Joomla installed on your server. If you are a hosting provider and installed Softaculous, from the cPanel you can directly upgrade Joomla installation.

Recommended Steps

  1. Change the default administrator username
  2. Protect directories and files – Project administrator directory with .htaccess protection. For details on protection implementation click here
  3. Disable Unneeded Functions & Classes e.g. : eval(),  system(), show_source, system, shell_exec, passthru,  exec,  phpinfo,  proc_open,  popen,  eval, and highlight_file
  4. Turn off display_errors from PHP.ini
  5. Limit Administrator Panel Access by allowing only trusted set of IP addresses
  6. Configure open_basedir from PHP.ini
  7. Disable file upload, if reqruied. Webmaster can uploads the files using FTP.
  8. Disable Remote Includes from PHP.ini

Technical Information

Trustwave team discovered this vulnerability and has already released detailed documentations, it is strongly recommended to read it.


Vishwajit Kale
Vishwajit Kale blazed onto the digital marketing scene back in 2015 and is the digital marketing strategist of Hostripples, a company that aims to provide affordable web hosting solutions. Vishwajit is experienced in digital and content marketing along with SEO. He's fond of writing technology blogs, traveling and reading.

Recent Posts

Cyberduck and FileZilla: A Comprehensive Comparison

As a web designer and web developer your experience must have reached to new height, right? Further, you need to…

2 days ago

The Science Behind Social Media Posting Times

In today's digital landscape, timing is everything. Whether you're a social media manager, business owner, or content creator, the success…

1 week ago

Mastering Google Search Console: Tips for New Users

Are you a website owner? Maintaining the website is the prime concern for any website owner. Yes, it’s equally important…

2 weeks ago

A Comprehensive Guide to Changing and Protecting the WordPress Login URL

If you’ve planned to launch a WordPress website, you might get a question, “How do I log in to WordPress?”…

2 weeks ago

The Ultimate Showdown: Linux vs Windows for VPS Hosting

As the demand for virtual private servers (VPS) continues to grow, businesses and individuals are faced with a crucial decision:…

1 month ago