Latest Joomla 3.7.1 Release Patches Critical SQL Injection Attack

If your website is based on the popular Joomla content management system, make sure you have updated your platform to the latest version released today.

Joomla, the world’s second popular open source Content Management System, has reportedly patched a critical vulnerability in its software’s core component.

Website administrators are strongly advised to immediately install latest Joomla version 3.7.1, released today, to patch a critical SQL Injection vulnerability (CVE-2017-8917) that affects only Joomla version 3.7.0.

“Inadequate filtering of request data leads to a SQL Injection vulnerability.” release note says.

The SQL Injection vulnerability in Joomla 3.7.0 was responsibly reported by Marc-Alexandre Montpas, a security researcher at Sucuri last week to the company.

According to the researcher, ‘The vulnerability is easy to exploit and doesn’t require a privileged account on the victim’s site,’ which could allow remote hackers to steal sensitive information from the database and gain unauthorized access to websites.

The SQL Injection vulnerability originates from a com_fields parameter, which was introduced in version 3.7.

> /index.php?option=com_fields&view=fields&layout=modal

“So in order to exploit this vulnerability, all an attacker has to do is add the proper parameters to the URL in order to inject nested SQL queries.” the researcher says.

Joomla 3.7.0 Proof-of-Concept Exploit:

> http://target-joomla-website.com/index.php?option=com_fields&view=fields&layout=modal&list[fullordering]=updatexml(1,concat(0x3e,user()),0)

Since hackers would not take much time to exploit this vulnerability against millions of websites, you are advised to download the latest version of Joomla for your website and inform others about the release of critical patch update as well.