Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security The Internet

Joomla SQL-Injection Flaw Affects Millions of Websites (trustwave.com) 120

An anonymous reader writes: Joomla has just issued a patch that fixes a SQL-injection vulnerability discovered by a researcher at Trustwave SpiderLabs. The flaw allowed malicious users to extract a browser cookie assigned to a site's administrator, giving them access to restricted parts of the server. The flaw first appeared in Joomla 3.2, released in November, 2013. An estimated 2.8 million websites rely on Joomla. The Joomla team and the researcher who found the flaw recommend an immediate update to version 3.4.5.
This discussion has been archived. No new comments can be posted.

Joomla SQL-Injection Flaw Affects Millions of Websites

Comments Filter:
  • Today I learned that I write more secure code than all of the fucking coders at Joomla put together.

    A decent sized company with loads of resources, lots of code reviews, using Agile, Scrum, Waterfall, SuckMyPecker, and (supposedly) staffed with experienced programmers, and they STILL fuck it up.

    • Re: (Score:3, Informative)

      by Anonymous Coward

      Joomla is not a company. The people developing it are volunteers.

      • by danhuby ( 759002 )

        Well said. And it only takes one mistake by one person to introduce a vulnerability. In hundreds of thousands of lines of code.

  • Just switch to Plone and sleep easier at night. A little out of date figures, but in the time Joomla had 441 exploits, Plone had 9.

    https://plone.org/products/plo... [plone.org]

    -Matt

    • by danhuby ( 759002 )

      Has it improved much since 2006? When I used it back then it was awful. Slow, terrible UI, over engineered.

  • What's with all the anonymous wankers beaking off about PHP vs Node, or JavaScript in general, when it's a server-side parsing of input that leads to the vulnerability? WebGoat was written as an on-purpose vulnerable web app for learning on, maybe some of you should download it and Burp or ZAP and do some self-education. OTOH, I'm sure someone would look at WebGoat, and respond with, "OMG, Java is teh suckz!"

  • So, does this only work if errors are output to the screen?

    Trying to assess the impact to our client sites. We always write errors to file and not to screen.

  • I switched away from Joomla to WordPress several years ago because hackers kept banging on my virtual doors. I'm looking into switching from WordPress to a static file generator. Can't hack what doesn't have any vulnerabilities.
    • by Tablizer ( 95088 )

      Wordpress has had plenty of vulnerabilities also. You just got to patch quickly when vulnerabilities are found.

      • My problem with WordPress is the constant need to login and update the plugins. Not a big problem for an active site, but a pain for non-active websites. That's why I'm looking into static files for the older websites.

You know you've landed gear-up when it takes full power to taxi.

Working...