Users should update to Joomla 3.6.4 as soon as possible

Oct 25, 2016 21:30 GMT  ·  By

The administrators of the Joomla CMS project released today version 3.6.4 to fix two security flaws, which the CMS' developers classified as "high-priority."

According to a short technical description of the two flaws, these allow remote attackers to create accounts with elevated privileges on a Joomla site, even if the user registration feature is disabled.

The first vulnerability, tracked as CVE-2016-8870, allows attackers to create accounts, while the second flaw, tracked as CVE-2016-8869, permits them to elevate the account's privileges.

CVE-2016-8869 leads to site takeover

The exact explanation for CVE-2016-8870 is: "Inadequate checks allows for users to register on a site when registration has been disabled."

The explanation for CVE-2016-8869 is: "Incorrect use of unfiltered data allows for users to register on a site with elevated privileges."

The Joomla team says both flaws impact Joomla versions 3.4.4 through 3.6.3. Attackers exploiting this flaw can take over Joomla CMS installations.

Proof-of-concept code not released (yet)

CVE-2016-8870 was reported on October 18 by Demis Palma. While investigating the impact of Palma's report, Joomla Security Strike Team (JSST) member Davide Tampellini discovered three days later how to trigger CVE-2016-8869.

The JSST team realized the impact of the flaw, and immediately started work on a patch and issued a public alert to raise as much awareness for the upcoming security release as possible.

Tampellini has told Softpedia that neither he or the Joomla project are aware of any real-world attacks using this exploit. The Italian researcher has also created a weaponized proof-of-concept code, but hasn't decided if he'll release the code just yet.

"As far as we know, we didn't see this exploit used in the wild," Tampellini told Softpedia. "However, since these vulnerabilities are marked as 'high', the team decided to release a new version and to anticipate attackers, closing the vulnerability door before getting actively exploited."

Both Tampellini and the JSST refused to disclose details about this sensitive vulnerability due to fear of attackers trying to exploit vulnerable sites.

Previous Joomla critical flaw was very popular among hackers

Their fear is justified. In mid-December 2015, the Joomla project released Joomla version 3.4.6 to fix a zero-day tracked as CVE-2015-8562.

By the end of the month, two weeks later, web security firm Sucuri was detecting around 16,600 attacks per day leveraging the zero-day, and attempting to exploit and take over vulnerable Joomla installations.

The latest version of the Joomla CMS is available from Github or via a download mirror hosted on Softpedia.