14 DAY TRIAL // The Joomla security team has fixed a highly critical zero-day bug, which appears to have already been used in the wild to compromise and take over Joomla sites.
Just two hours ago, the Joomla security team released version 3.4.6, along with security patches for older versions of the CMS, even if some of them reached EoL (End of Life) and were not officially supported anymore.
Remote code execution flaw via the user agent string
The reason behind this out-of-the-ordinary security release is a critical zero-day bug that allows attackers to insert code into the Joomla database and later execute it.
The entry point for the malicious code is the user agent string, which is advertised by each site visitor's browser to let websites know the user's technical makeup and deliver the best or the most appropriate version of the site.
Apparently, this string is stored in the Joomla database, but not properly sanitized to detect malicious code.
With the help of special applications and scripts that can broadcast fake user agent strings, attackers can very easily craft a custom string and append malicious code to it.
Zero-day bug used in the wild for more than two days
Security specialists from Sucuri are claiming to have observed attacks in the wild that leverage this technique.
The first attacks started on December 12, but "today (Dec 14th), the wave of attacks is even bigger, with basically every site and honeypot we have being attacked. That means that probably every other Joomla site out there is being targeted as well," said Daniel Cid, Founder & CTO of Sucuri.
To mitigate the danger, Mr. Cid advises website owners to update as soon as possible to version 3.4.6 or apply the security patches offered by the Joomla team. All versions of the CMS, starting with 1.5.x, are affected.
Additionally, to see if they have been compromised, webmasters should search their logs for requests from 146.0.72.83, 74.3.170.33 or 194.28.174.106, from where most of the attacks originated, until now. The malicious user agent string contains the "JDatabaseDriverMysqli" or the "O:" strings.
The latest version of the Joomla CMS is available from Github or via a download mirror hosted on Softpedia. The security patches for older Joomla versions can be found on the Joomla documentation pages.