CVE-2017-8917 - Easily Exploitable Joomla SQL Flaw

CVE-2017-8917 – Easily Exploitable Joomla SQL Flaw

CVE-2017-8917 is a Joomla vulnerability just disclosed by Sucuri researchers. During regular search audits, the researchers discovered an SQL injection flaw affecting Joomla! 3.7. The flaw is easily exploitable as it doesn’t require a privileged account on the target’s site.

Related Story: WordPress Bug Bounty Program Interested in XSS, RCE, SQL Flaws

More about CVE-2017-8917

The flaw is triggered by a new component identified as com_fields, introduced in version 3.7. Admins that use this version of Joomla are at risk of an exploit and should update immediately. What is worse is that this component is publicly accessible, meaning that the bug can be used by anyone who visits the targeted Joomla site.

Furthermore, there are plenty of ways for such flaws to be exploited by attackers, such as leaking password hashes or hijacking logged-in users’ sessions. The second scenario could lead to a full compromise of the targeted website if an admin session is stolen, Sucuri explains.

The public-facing com_fields component borrows some views from the administrative side component of the same name. While this may sound like an odd thing to do, it serves a very practical purpose – it allows the reuse of generic code that was written for the other side, instead of writing it from scratch again.

Joomla Admins Should Upgrade Immediately

Since Joomla is one of the most popular open source CMS (content management system) this vulnerability should not be under-minded. One of the reasons to pay close attention to this flaw if you are a Joomla admin is that attackers often take advantage of how slowly administrators upgrade. The more time it takes for an admin to react, the better chance there is for a successful attack.

This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. Update now,” Sucuri advises.

Both Joomla and WordPress sites often fall victims to attacks. In 2016, such sites were deployed in the distribution of a unique and smartly crafted attack.

Related Story: Vulnerable WordPress Plugin Could Cause Severe Attacks

Milena Dimitrova

An inspired writer, focused on user privacy and malicious software. Enjoys 'Mr. Robot' and fears '1984'.

More Posts - Website

Leave a Comment

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload CAPTCHA.

Share on Facebook Share
Loading...
Share on Twitter Tweet
Loading...
Share on Google Plus Share
Loading...
Share on Linkedin Share
Loading...
Share on Digg Share
Share on Reddit Share
Loading...
Share on Stumbleupon Share
Loading...
Please wait...

Subscribe to our newsletter

Want to be notified when our article is published? Enter your email address and name below to be the first to know.