Avast, a cybersecurity company,y has warned both Joomla users of a new type of attack, which injects fake jQuery script into the header of the website. This type of script changes one line of code to allow the hacked website to point to a malicious script.
Avast stated that the amount of websites hacked using this method is “abnormally high” and has resulted in about 4.5 million users attacked. Visitors of the websites will not notice the code, unless they are looking at the source code because the script is put before the closing tag.
"Yesterday, Joomla! 3.6.4 was released, patching a critical privilege escalation and arbitrary account creation vulnerability.
As we’ve seen some exploits attempts occurring in the wild, we feel it is a good time to describe what the issue is and how it was fixed.
"
Analyzing the Patch
It was fairly easy to figure out where the vulnerable code was, as pretty much all the patch does (with the exception of fixing an additional two factor authentication bug) is basically remove the register method from the UsersControllerUser class. So that’s where our investigation started.
We removed some original code for improved readability
All in all, what this method does is it takes user input from the user POST parameter (which is intended to be an associative array) and validates whether specific parameters are properly formatted (email address, username, etc.). If it’s all good, it pushes the array to the register method from the UsersModelRegistration class.
The Joomla! development team announced the immediate availability of Joomla! 3.6.4 yesterday. This update was issued to fix two critical security flaws in all versions of Joomla! from 3.4.4 to 3.6.3.
Please note, these security vulnerabilities could lead to your site becoming compromised. So, we advise you to update to the latest version of Joomla! today.
Joomla! 3.6.4 is now available. This is a security release for the 3.x series of Joomla! which addresses two critical security vulnerabilities and a bug fix for two-factor authentication. We strongly recommend that you update your sites immediately.
This release only contains the security fixes and bug fix; no other changes have been made compared to the Joomla! 3.6.3 release.
What's in 3.6.4
Version 3.6.4 is released to address two critical security issues and a bug regarding two-factor authentication.
Security Issues Fixed
High Priority - Core - Account Creation (affecting Joomla! 3.4.4 through 3.6.3) More information »
High Priority - Core - Elevated Privileges (affecting Joomla! 3.4.4 through 3.6.3) More information »
The Joomla! Project is pleased to announce the availability of Joomla! CMS 3.6 Beta 2. Community members are asked to download and install the package in order to provide quality assurance for the forthcoming 3.6 release.
Joomla! 3 is the latest major release of the Joomla! CMS, with 3.6 the seventh standard-term support release in this series. Please note that going from 3.5 to 3.6 is a one-click upgrade and is NOT a migration. The same is true is for any subsequent versions in the 3 series of the CMS.
That being said, please do not upgrade any of your production sites to the beta version as beta is ONLY intended for testing and there is no upgrade path from Beta.
This week saw the release of Joomla! 3.5.1 to fix a few bugs that have been reported in the latest version of the popular CMS.
Although you may not feel it is critical to keep your site updated to the latest version of Joomla!, we see new sites every day finding themselves compromised.
Are you avoiding updating your website because of the fear you may have that something may go haywire?
Allow us to take on the frustration and let you feel at ease and continue to do what you do best with your company. We will take the hassle out of your Joomla! update!
We offer installation, maintenance and core support for the following software products
