/>
X

Joomla patches eight-year-old critical CMS bug

The flaw could be exploited to steal administrator account details and hijack websites.
charlie-osborne.jpg
Written by Charlie Osborne, Contributor on
screen-shot-2017-09-22-at-08-49-04.jpg
RIPS

Joomla has patched a critical bug which could be used to steal account information and fully compromise website domains.

This week, the content management system (CMS) provider issued a security advisory detailing the flaw, which is found in the LDAP authentication plugin.

Lightweight Directory Access Protocol (LDAP) is used by Joomla to access directories over TCP/IP. The plugin is integrated with the CMS.

Joomla considers the bug a "medium" severity issue, but according to researchers from RIPS Technologies, the problem is closer to a critical status.

In a blog post, the team said the previously unknown LDAP injection vulnerability, in the login controller of the plugin, "could allow remote attackers to leak the super user password with blind injection techniques and to fully take over any Joomla <= 3.7.5 installation within seconds."

Through the flaw, CVE-2017-14596, a remote attacker is able to extract authentication credentials from the LDAP server, including the super user username and password, as long as Joomla is configured to use LDAP for authentication.

The vulnerability formed as user input is mixed unsanitized with the LDAP query markup that is passed to the LDAP search function.

The attacker does not need any privileges to exploit the bug, which has been present in the plugin for the past eight years. It is not known if the issue has been exploited in the wild.

"As one of the most popular open source CMS applications, Joomla receives many code reviews from the security community," RIPS commented. "Yet alone one missed security vulnerability in the 500,000 lines of code can lead to a server compromise."

After the vulnerability was disclosed to the Joomla team and confirmed in July, a fix has been released through the latest Joomla release, version 3.8.

Previous and related coverage

Must-have mobile apps to encrypt your texts and calls

Related

Delta Air Lines just made an embarrassing announcement (you may be livid)
screen-shot-2022-06-22-at-3-50-54-pm.png

Delta Air Lines just made an embarrassing announcement (you may be livid)

Business
US weather, climate forecasting is about to get way better
screen-shot-2017-09-07-at-1.jpg

US weather, climate forecasting is about to get way better

Innovation
On July 12, we'll see the universe like never before
51656393132-ca88bc21e3-k

On July 12, we'll see the universe like never before

Space