Hacks have been prevalent in the cyber world over the recent months, potentially exposing unknowing victims to security risks. Vulnerabilities in different platforms, be it devices, softwares and websites can serve as openings for hackers to steal important private information. Tech companies have been issuing fixes to address the possible risks.
Joomla, one of the world's most popular website management companies, has been found to have a critical vulnerability. The company has already addressed the problem on Oct. 22, Thursday. According to an Ars Technica report, Joomla has issued an update to fix the said bug. The Joomla bug can provide hackers with access to admin control panels.
This can be done by remotely executing a code. The vulnerability puts to risk more than 2.8 million websites, which are all powered by Joomla's web management systems. The flaw has been found in Joomla versions 3.2 and 3.4.4. Asaf Orpani, a resarcher from Trustwave Spiderlabs, reportd the vulnerability of the Joomla CMS on Thursday.
Orpani detailed his findings in a Trustwave Spiderlabs post, stating that even guests can access otherwise confidential codes. "The code was located in the administrator folder and, surprisingly, accessible by guests of the website. To execute this code, an attacker only needs to send a request with a parameter stating 'contenthistory' as the component he wants to access."
Hackers will be able to exploit the app by entering crafted codes in the websites' input fields. After doing so, hackers will be able to access the web pages' control panels, allowing them to access restricted sources and other private user information. An example of input field is a text box for users to enter search queries. Upon entering the crafted codes, they will be sent to the site's database.
In some cases, the codes may be interpreted as commands, which may then lead to exposure risks and hacking attacks. Joomla extended its gratitude to Orpani and urged web administrators to update their Joomla installations to make sure their sites are free from the flaw.