IP Blog

Part of what has made the internet more of a necessity than a luxury is how accessible it is for people. So accessible that just about anyone can have their own website, which is why there are over one billion existing websites right now-a number that grows as impressively by the second as it has by the year.

So, why are CMS platforms targeted by hackers?

First, because websites on these platforms are so prevalent. Second, because the open-source framework of these systems requires webmaster responsibility and attention to security precautions.

There’s a lot of monetary incentive for hackers to find and exploit vulnerabilities in these systems since these CMS platforms are so widely used by businesses and for e-commerce purposes. That, on top of already existing hacker culture, is incentive enough for digital perpetrators to regularly target open source CMS systems.

by Mark Stockley

Joomla, the world’s second most popular web content management system (CMS), has been under sustained attack for several days, thanks to a nasty pair of vulnerabilities disclosed last week.

Security announcements 20161001 (CVE-2016-8870) and 20161002 (CVE-2016-8869) describe how flaws in Joomla’s user registration code could allow an attacker to “register on a site when registration has been disabled” and then “register … with elevated privileges”.

If the significance of those two statements hasn’t entirely sunk in let me make it plain: taken together, the vulnerabilities can be used to unlock any site running Joomla, anywhere on the internet, with little more than a polite request detailing what you’d like to be called and how much power you want.

[20161002] - Core - Elevated Privileges

• Project: Joomla!
• SubProject: CMS
• Severity: High
• Versions: 3.4.4 through 3.6.3
• Exploit type: Elevated Privileges
• Reported Date: 2016-October-21
• Fixed Date: 2016-October-25
• CVE Number: CVE-2016-8869

Description

Incorrect use of unfiltered data allows for users to register on a site with elevated privileges.

Affected Installs

Joomla! CMS versions 3.4.4 through 3.6.3

Solution

Upgrade to version 3.6.4

Everyone hates security. Security means extra work. Lots of it. You need to monitor security announcements, apply tedious upgrades (even though they may break your site), and review plugins carefully before you install them. No fun.

But what's the alternative? A broken or compromised site. You want your homepage to stay the way you left it, right? Not get defaced by a Mongolian teenager? Then you'll need to learn about security.

Get Security Announcements

The first step to staying secure is staying informed. Any good CMS, and any good extension, will have regular security updates. But they won't do you any good if you don't hear about them. Learn how to find and subscribe to security announcements for every moving part in your website.