With in four hours of releasing a patch for critical vulnerability, malicious actors began exploiting Joomla, a popular open-source content management system.
The SQL injection flaw (CVE-2015-7297, CVE-2015-7857, CVE-2015-7858) found in versions 3.2 through 3.4.4 of Joomla could potentially grant attackers full administrative access to any vulnerable site, was discovered by Trustwave researchers, and was announced in separate blog posts on the Joomla and Trustwave sites.
“CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks,” explained the researchers in a blog post.
Hours after the release of version 3.4.5, web security firm Sucuri reported a direct attack against two of its customers. The attack tried to extract the current session from any logged in admin user and were blocked by our generic SQL Injection signatures:
“What is very scary to think is that neither of these sites were patched at the time," Sucuri's CTO Daniel Cid said in a blog post Monday. "The disclosure happened on a Thursday afternoon (evening in Europe), when many webmasters were already off for the day."
Within the 24 hours, the firm observed Internet-wide scans probing for the flaw and number of the attacks. Sucuri recorded 12,000 attempts of exploitation.
“This data tell us is that the average webmaster has less than 24 hours to patch a site after a serious disclosure like this," says Daniel Cid, Founder and CTO at Sucuri. "That’s for the average site (small to medium size). If you have a popular site, you have a couple of hours only, from disclosure to attack and you have to react fast."