Core Joomla! Vulnerability Patched in Version 3.4.5 Security Release

joomla-vulnerability

A few days ago, a critical vulnerability in the Joomla! core was found. It comes from an unsanitized input in the Joomla! core, which makes an SQL injection possible. The result of such an attack can lead to totally compromised websites - stolen login details, hijacking website access, malicious file uploads, etc. It’s a serious threat, without a doubt, and one that applies to all Joomla! 3.2 versions and above.

Server-level protection with custom WAF rules

As always, when facing a vulnerability, we tend to take immediate actions in-house. We wrote custom rules inside our Web Application Firewall (WAF) to prevent potential exploits in our Joomla sites at the server level. We have shared our firewall rules with the Joomla! Security Team, in case they could be of help to other hosts or developers that want to protect their websites.

Autoupdate our Joomla! sites to the new and secure version 3.4.5

No matter how many server level fences we put up, it’s always best to have the vulnerability patched and all holes closed. That is why, today, after Joomla! released the official patch for the vulnerability with version 3.4.5, we will update all Joomlas that have enabled Auto Updates to the new and secure version.

If you have disabled the Joomla autoupdate feature from your SiteGround cPanel, please make sure you update your Joomla as soon as possible on your own.

Enterprise Cloud Solutions Architect

My challenging job is closely related to all kinds of Free and Open-Source Software products (some of my favorites are WordPress, Joomla!, Magento, Varnish and Apache mod_security). As a Web security and performance freak I am always hyper focused on solving all kinds of issues and improving our services.

3 Comments

  1. Reply October 22, 2015 / 15:25 Zoran FilipovićSiteGround Team

    I just update Joomla! to version 3.4.5 for all my four web sites on SiteGround. I update Joomla! in back-end Joomla administrator panel. Just smooth and fine job! Excellent work!

  2. Reply November 9, 2015 / 19:26 Greg SeymourSiteGround Team

    Too little, too late.
    My web site has been mercilessly hacked multiple times over the last 6 weeks.
    Each time, Siteground's only action was to take my site down until I had cleaned the problems and done my own updating. Standard backup plan is completely inadequate.

    • Reply November 11, 2015 / 05:40 Marina YordanovaSiteGround Team

      Hello Greg, we are sorry that you feel this way. According to our technical team's checks, the vulnerability described in this post isn't related in any way to your website being hacked.

      Please note that the security of a website depends among which whether the application used is up-to-date and passwords are secure and changed frequently. Even when we take all necessary precautions on the server end, if the customer uses a password that's easy to guess or the site uses an app version with known vulnerabilities, we cannot prevent it from getting hacked.
      In regard to malware cleanup - it is not part of our regular web hosting services. For the convenience of our customers, who don't want to do that their selves or hire a web developer, we offer it as a paid service. We also also automatic updates for Joomla and WordPress that can be turned on from your cPanel.

Reply to Zoran Filipović Cancel

* (Required)