WiredTree Warns Joomla! Users Of Remote Code Execution Vulnerability

Share Article

WiredTree responds to a remote code execution vulnerability publicized by Ars Technica and has warned users of the popular Joomla! content management system that they should upgrade or patch their installation immediately.

News Image
"...we feel that because the vulnerability is widespread and is being actively exploited, it’s important to get the news out to as many Joomla! users as we can."

WiredTree, a provider of managed server hosting has warned users of the popular Joomla! content management system that they should upgrade or patch their installation immediately. The warning is motivated by a serious remote code execution vulnerability, widely publicized last week in Ars Technica (Dec 14, 2015), that is being actively exploited by malefactors, with a high likelihood of unpatched sites being targeted.

The vulnerability affects all versions of Joomla! prior to version 3.4.6. Users running the recent 3.X branch of Joomla! should upgrade to version 3.4.6. Users of the end-of-life 1.5.X and 2.5.x versions can apply hot-fixes made available by Joomla!’s developers, and should ideally update to actively maintained versions of the CMS as soon as possible.

Joomla!, while not as popular as WordPress, has a large user base, particularly in the enterprise and among large-scale publishers. Joomla! should not be singled out as insecure - such vulnerabilities have been found in all major content management systems over the years - but it is important to make users of Joomla! aware that they must update as soon as possible.

“As a web hosting company, we support a great many clients that use Joomla! because it’s an excellent content management system,” says Zac Cogswell, President of WiredTree, “But we feel that because the vulnerability is widespread and is being actively exploited, it’s important to get the news out to as many Joomla! users as we can — update your website immediately!”

The vulnerability is a result of the way Joomla! handles session data, essentially allowing a malicious users to leverage HTTP user-agent headers to insert arbitrary data into the site’s database. From that point, it’s relatively straightforward to have arbitrary code executed by the content management system.

WiredTree is a provider of fully managed web hosting committed to giving its clients the best and safest web hosting available.

###

About WiredTree

WiredTree specializes in delivering managed hosting experience that places the client in complete command; covering virtual, hybrid, and dedicated web hosting. As champions of customer care, it’s no wonder that more than 5,000 clients enjoy WiredTree’s free hardware level-ups and a <15 minute average ticket response time. All of this is built on top of only the highest-performing technologies, including LightSpeed web server, MariaDB, memcached, SSD-driven hardware, and an in-house management system called Grove. To learn more about what WiredTree can do for your site, visit http://www.wiredtree.com.

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Zac Cogswell
WiredTree
+1 866-523-8733
Email >
@wiredtree
since: 03/2009
Follow >
Follow us on
Visit website