5 Aug

2013

Serious Joomla Vulnerability found but we’ve got you Covered!

security

It is mid-summer now but security issues take no vacation. Actually they find the most inappropriate time to appear and make our lives more interesting, to say the least. On Thursday, 25 July the Joomla! Project announced the availability of Joomla 3.1.4/2.5.13 and many users upgraded their websites because the new releases provide tons of useful new features and bug fixes. One will think: job well done, it is time to hit the beach! But… On Thursday, 01 August, the Joomla! Project surprisingly  announced the immediate availability of Joomla! 3.1.5/2.5.14. Apparently not much time to sip exotic summer cocktails was allowed. The reason for this extremely short period between the two versions was that a critical level security issue was discovered just after the previous release and it had the potential to affect all Joomla! CMS versions. Yes, that’s correct  – we are talking about all the Joomla! sites out there. All versions are affected – 1.5, 1.6, 1.7, 2.5 and 3. Sounds scary, right? Not if you’re hosted on SiteGround servers!

Vulnerability Explained

The vulnerability allows Joomla websites to be hacked through the Media Manager. To exploit the vulnerability the attacker should find a Joomla site that allows access to the media manager to its registered users. Then s/he will register an account and use the vulnerability to upload a malicious shell script to this site through the Media Manager. After that the attacker can do pretty much anything – edit your files, access your database, delete information, etc.

How did we resolve the issue for all of our clients?

Step 1: We applied a server level solution

As soon as the vulnerability was announced our security team started to develop a server level patch. This is our standard practice when there is an issue that can affect a large number of installations. The idea is to create a layer of protection to all Joomla websites hosted by SiteGround regardless of their current version. We analyzed carefully the vulnerability, the exploit and the payload and came up with ingenious solution that blocks the upload of malicious files through the Media Manager on a server level.

Step 2: Upgrading Joomla 2.5 and 3

Our Joomla! Auto Update system upgraded the 2.5.x/3.x applications on our servers to the new versions 2.5.14 and 3.1.5. These were released very timely by the Joomla organization and are no longer vulnerable. Once again the Auto Update system we have developed secured our customers’ websites without any effort on their side.

Step 3: Patching Joomla 1.5

As Joomla 1.5 is no longer officially supported, there was no upgrade available for it. However, the Joomla team has released a security patch that should be applied manually and we went the extra mile and patched all the old Joomla versions hosted on our servers manually ourselves.

What to do if you’re not hosted by SiteGround?

The official solution for Joomla! 2.5.x and 3.x sites is to upgrade your application to the latest stable releases – 2.5.14 and 3.1.5. Joomla! 1.5.x users should download this Joomla patch, extract the .zip file and manually upload the enclosed files into place.

All in all, if you’re a SiteGround customer you can sit back and enjoy your summer vacation, we got you covered! Otherwise, you will have to put down your cocktail and patch your Joomla! site before it is too late. Of course, you can always transfer to us.

Author: Daniel Kanchev

Senior Web Apps Engineer and Performance Specialist

My challenging job is closely related to all kinds of Free and Open-Source Software products (some of my favorites are WordPress, Joomla!, Magento, Varnish and Apache mod_security). As a Web security and performance freak I am always hyper focused on solving all kinds of issues and improving our services.

Comments (10):

  1. TB says:

    Thanks Siteground for being proactive with this – much appreciated. T.

  2. Matt says:

    It’s great to see you being proactive about security. However, it needs to clarified that no one should be using versions 1.6, 1.7. Those versions are STS releases and are no longer supported and insecure.

  3. Richard says:

    That’s great to hear. I like the fact a problem is fixed before I know about it, one less thing to stress about.

    So, how to make Siteground better still? how about the same ‘response’ to Opencart? wow, automated bug fixing for my Two favorite programmes, that’s 2 things less to stress about :)

  4. Kevin says:

    Thanks SG! Wasn’t even aware there was a vulnerability. You guys rock!

  5. Jennifer says:

    Thanks for staying on top of it. I have Joomla 3 but I have disabled the auto update because of my template compatibility. Do I need to change anything? Thanks!

    • Daniel Kanchev says:

      Hi Jennifer,

      I checked your Joomla! CMS site and I can confirm that it is not vulnerable – our server level protection rule got you covered. However, you should really upgrade your site to the latest stable Joomla! release (3.1.5) because it also offers many new features. If you have any questions regarding the upgrade you can send me an email to daniel.k@siteground.com. I will be glad to assist you and check your template.

  6. Moe says:

    Makes you feel lucky to have such a great hosting provider!

  7. akin says:

    Siteground is the best ISP in the world!. i can actually happily sleep and be rest assured my clients websites are up 24/7. Thank you.

  8. Ceeland Gregory says:

    Hi
    I am using joomla 1.5.26.
    Could you tell me how to upgrade to latest version 3.15?
    Thank you

Favorite Tweets

Facebook