WE HAVE MANY SUPPORT OPTIONS

3Get our response in 2 hours or less.

You can also email us at info @ intelliplans .com // Need Remote Support? Windows or Mac

WE'RE AVAILABLE 24/7

Sales: 800.229.0674
24/7 Phone Support: 850.549.2282 | 480.624.2500
Customer Service | Contact Form | Email

Critical vulnerabilities pose a serious threat to Joomla sites

b2ap3 large joomla security alertby Mark Stockley

Joomla, the world’s second most popular web content management system (CMS), has been under sustained attack for several days, thanks to a nasty pair of vulnerabilities disclosed last week.

Security announcements 20161001 (CVE-2016-8870) and 20161002 (CVE-2016-8869) describe how flaws in Joomla’s user registration code could allow an attacker to “register on a site when registration has been disabled” and then “register … with elevated privileges”.

If the significance of those two statements hasn’t entirely sunk in let me make it plain: taken together, the vulnerabilities can be used to unlock any site running Joomla, anywhere on the internet, with little more than a polite request detailing what you’d like to be called and how much power you want.

Continue reading
Rate this blog entry:
1378 Hits
0 Comments

Joomla Security: Big Hits for New Vulnerability

According to US-CERT, Joomla has just released version 3.4.7 of its open-source content management system (CMS) in an effort to lock down two new vulnerabilities, one of which could grant attackers full control of an affected website. As noted by SecurityWeek, the severity of these flaws didn’t go unnoticed: Symantec tracked an average of 16,000 hits per day attempting to exploit the issue. Here’s a rundown of what’s at risk with an unpatched Joomla install.

JOOMLA SECURITY RISKS

For almost a decade, a critical remote command execution vulnerability has existed in Joomla; versions 1.5 through 3.4.5 are affected by CVE-2015-8562. According to Ars Technica, while Joomla security teams patched the vulnerability within two days, the bug was already being exploited in the wild on IP addresses 146.0.72.83, 74.3.170.33 and 194.28.174.106. In addition, any events using either “JDatabaseDriverMysqli” or “O:” in the user agent were likely attack vectors.

So what’s the big risk here? CVE-2015-8562 leverages an issue with poor filtering when Joomla saves browser session values. As detailed by Sucuri, exploiting this flaw and combining it with the result of MySQL meeting a UTF-8 character that isn’t supported by uft8_general_ci — which causes data truncation from a specific value — it’s possible to launch an attack that could fully compromise servers. Cybercriminals then use the servers as malware hosts or sell access to them for a fee on the Dark Web.

Continue reading
Rate this blog entry:
1177 Hits
0 Comments

Vulnerable Joomla Site Owners (Servers) See 16,000 Daily Attacks

Symantec has detected up to 20,000 daily attempts to exploit a recently patched Joomla vulnerability that can be leveraged for remote code execution.

The vulnerability, identified as CVE-2015-8562, was patched in mid-December with the release of Joomla 3.4.6 and hotfixes for versions 1.5 and 2.5. The first attempts to exploit the flaw, which affects installations running Joomla 1.5.0 through 3.4.5, were spotted two days before the developers of the popular content management system (CMS) released patches.

Symantec has been monitoring attack attempts and detected, on average, 16,000 daily hits since the vulnerability was disclosed.

Attackers can leverage the Joomla security hole to compromise servers and use them for hosting malware and other malicious activities. They can also sell access to the targeted servers on the underground market, allowing others to abuse them for distributed denial-of-service (DDoS) attacks. Some of the compromised machines can also host valuable information.

Continue reading
Rate this blog entry:
956 Hits
0 Comments

Joomla! 3.4.7 Version Fixes Security Flaws

Joomla! has released the latest version, 3.4.7, of its free content management system software to address two reported security vulnerabilities.

The new version of Joomla!, which is used to create websites and online applications, strengthened the security of the MySQLi driver to help prevent object injection attacks.

Joomla said its Security Strike team has been following up on the critical security vulnerability patched last week.

“Since the recent update it has become clear that the root cause is a bug in PHP itself,” Joomla! reported on its website. “This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13.”

Joomla! pointed out the only Joomla sites affected by this bug are those that are hosted on vulnerable versions of PHP, and it corrected the flaw because not all hosts keep their PHP installations up to date.

Joomla! 3.4.7 is now available. This is a security release for the 3.x series of Joomla which addresses a critical security vulnerability and one low level security vulnerabilities. We strongly recommend that you update your sites immediately.

This release only contains the security fixes; no other changes have been made compared to the Joomla 3.4.6 release.

WHAT'S IN 3.4.7

Version 3.4.7 is released to address two reported security vulnerabilities and includes security hardening of the MySQLi driver to help prevent object injection attacks.

The Joomla Security Strike team has been following up on the critical security vulnerability patched last week. Since the recent update it has become clear that the root cause is a bug in PHP itself. This was fixed by PHP in September of 2015 with the releases of PHP 5.4.45, 5.5.29, 5.6.13 (Note that this is fixed in all versions of PHP 7 and has been back-ported in some specific Linux LTS versions of PHP 5.3). The only Joomla sites affected by this bug are those which are hosted on vulnerable versions of PHP. We are aware that not all hosts keep their PHP installations up to date so we are making this release to deal with this issue on vulnerable PHP versions.

SECURITY ISSUES FIXED

  • High Priority - Core - Session Hardening (affecting Joomla 1.5 through 3.4.6) More information »
  • Low Priority - Core - SQL Injection (affecting Joomla 3.0.0 through 3.4.6) More information »

Please see the documentation wiki for FAQ’s regarding the 3.4.7 release. It is important to note that due to some session changes you will not be able to edit items until you log out and log back in again. Please note that there has been a backwards compatibility break regarding how session management is handled. If you are using the documented Joomla API you will have no issues. The changes are fully documented in the release documentation.


Sources:

  1. https://www.joomla.org/announcements/release-news/5643-joomla-3-4-7-released.html
  2. https://www.us-cert.gov/ncas/current-activity/2015/12/22/Joomla-Releases-Security-Update-CMS

 

Continue reading
Rate this blog entry:
1042 Hits
0 Comments

WARNING: Websites Running Joomla 1.5 Are at Risk

As of August this year, according to W3techs out of all the websites currently using Joomla, 44.6% of them are still on the unsupported Joomla 1.x series, support for which ended way back in September 2012.

Whilst the Joomla 1.x series was very robust and can still run reliably if well looked after, it's time is nearly up. Technologies are changing and security is being tightened up online, and the Joomla 1.x series is being left behind. So if you're running a Joomla 1.x website, now is the time to upgrade, and here are just a few reasons why;

1. Security

As of September 2012 support for Joomla 1.5 was officially dropped, meaning that no security patches will be released. This can be a big problem if you rely on third party code for any of your websites features, for example Google Maps or online payment gateways, or simply if an extension you are using becomes compromised by new hacking techniques. The longer you run a Joomla 1.x series website there is a growing risk of your website being hacked and your data compromised.

2. Changing server technologies

Like Wordpress and Concrete 5, Joomla is a PHP based CMS, which runs on a Linux based server and runs its databases via MySQL. These technologies are also constantly evolving to keep the nasty hackers away as they find new ways to be naughty and get into places they shouldn't.

Currently, there is no supported version of PHP compatible with Joomla 1.5! (http://php.net/eol.php)

As a result of this, we have noticed hosting companies are forcing their customers to upgrade their PHP versions to at least PHP 5.4 (The latest is 5.5). Joomla 1.5 sites are compatible with PHP versions up to 5.3, and so features of your Joomla 1.5 are almost certain to break if your host decides upgrades your PHP version.

At Channel we have mitigated against this for our customers by running Joomla 1.5 sites on the legacy versions of PHP to ensure your websites continue to run happily, but there will come a point in the very near future where we will be forced to upgrade to newer PHP versions, and those 1.x sites will no longer function.

3. Extensions Support and easiEr upgrades

Most extension developers have dropped their support for 1.5 versions of extensions to build extensions for the current Joomla versions. More than 65% of Joomla extensions are now available for Joomla 2.5, so it is likely that any functionality you had previously will still be available on the newer Joomla versions.

4. Future proofing

Joomla 2.5x has many great features compared to the 1.x series, the most cost effective of which is a more robust and easier upgrade system. Joomla 2.5x has an inbuilt upgrade engine, which give you upgrade notifications and 1 click upgrades. It has also been built with future version upgrades in mind and has been designed to make the jump between Joomla versions much easier than upgrading the 1.x series, saving you time and money in the long run.
But my website is fine, why do I need to upgrade?

This is a common question from our customers and it's logical to think "If it ain't broke don't fix it"!, but unfortunately that sentiment doesn't apply to well in the world of the web.

OTHER COMMON THINGS WE HEAR ARE:

  • We built our site only a few years ago and don't have the budget for upgrading.
  • It sounds like a lot of work, I can't be bothered with it
  • My site has never been hacked, so I don't need to upgrade
  • You're only telling me I need to upgrade because you want more business.

Whilst it is true there is a fair amount of work involved and you may have a perfectly healthy Joomla 1.x series website, it won't stay that way forever. The question to ask is if your website got hacked tomorrow, what would be the loss in revenue/reputation for your business?

If the monetary value of any disruption outweighs the cost of upgrading your site, then it's something you really should invest in. Otherwise, you will end up with a website that you cannot host, or if you do find a host who is willing to take it, it will end up repeatedly getting hacked and live a pretty sad life for the rest of its days!

SO HOW DO I UPGRADE AND WHAT'S INVOLVED?

Every website is different. The work involved depends on how many extensions you have, how many customisations you have done, the amount of content and functionality in your site, amongst other things. We have experience of reliably upgrading 1.x sites and would welcome you to contact us for a free audit of your website to find out the best method for you to upgrade.

FREE AUDIT

To help our customers running 1.x series sites and also in the interest of all of our other customers in regards to security, we are offering a free audit to help you find out what's involved in upgrading your Joomla 1.x series website to the latest Joomla! version.

We don't want to see our long standing members fall by the wayside and eventually have to remove them from our servers when they become untenable security risks, so we could encourage you to get in touch with us asap to plan for your upgrade.

So if you are running a Joomla 1.x series site, please get in touch with one of the team today who will be happy to do your free audit and quote for upgrading your Joomla site today.

Continue reading
Rate this blog entry:
974 Hits
0 Comments
TOP