For eight years, hackers have been able to exploit this password-stealing flaw in Joomla

Jay Holtslander

via: BitDefender’s blog.

For the last eight years a critical vulnerability has lurked within the code of Joomla CMS which could have allowed malicious hackers to steal every user’s login credentials – including those belonging to administrators.

The serious security hole, which was patched in version 3.8 of Joomla released last week, was disclosed by researchers at German security firm RIPS Tech.

A successful attack can lead to hackers stealing administrator login credentials, and gaining complete control over a website.

Like WordPress, Joomla is one of the world’s most popular content management systems, and is used by millions of websites. As a result, any vulnerability that could lead to administrator passwords being leaked should be considered extremely alarming. What makes the discovery even more shocking, however, is that it has been possible for hackers to exploit the flaw since Joomla version 1.5, released eight years ago.

Also like WordPress, Joomla is open source software, and is regularly reviewed for vulnerabilities for security holes – and yet no-one found this critical flaw until now. The idea of open source software, being available for anyone to review and check for vulnerabilities, is a great one. But just because anyone can hunt for security holes in 500,000 lines of code doesn’t mean that every bug will be found – or that critical vulnerabilities that could lead to your entire website being compromised will be uncovered in a timely fashion.

Thankfully, in this case, Joomla confirmed and then fixed the vulnerability in a timely fashion after researchers told them about it.

Pretty scary.

 

A successful attack can lead to hackers stealing administrator login credentials, and gaining complete control over a website.

https://hotforsecurity.bitdefender.com/blog/for-eight-years-hackers-have-been-able-to-exploit-this-password-stealing-flaw-in-joomla-18997.html

Or:

Monthly Archives