Joomla closes sqli leak in its content management system
Joomla has released a patch for its content management system. In doing so, it closes a leak that allows an attacker to take over sessions from logged-in users via sql injection, for example.
The leak was discovered by security company Sucuri, which has published an analysis. In it, Sucuri writes that the leak is quite easy to abuse without the need for elevated privileges. For example, by using the sql injection, an attacker could steal hashed passwords or take over a logged-in administrator’s session. In this way it is ultimately possible to obtain full access.
The vulnerability CVE-2017-8917 can be used by appending certain parameters to the url. The vulnerability is present in version 3.7 of the content management system. In its own message, Joomla announces that the vulnerability has been fixed in version 3.7.1. and recommends that users update as soon as possible. According to W3Techs, 3.3 percent of all websites use Joomla; in 28 percent of the cases it concerns WordPress.