Meet Ihsan Sencan, a security researcher from Turkey who found more than 15+ SQL Injection Vulnerabilities in various Joomla Components in just one day and all related exploits have been published to various portals like Exploit-db.com, packetstormsecurity.org, cxsecurity.com and 0day.today etc.
He also found more than 50+ SQL Injection Vulnerabilities in other Joomla Components/Modules in the month of January and February 2018. Besides this, Ihsan published more than 700+ web application exploits on Exploit-Db.com portal in just one year.
Tip: An exploit, is a piece of code or a process that takes advantage of the vulnerability to bypass certain restrictions.
Getting into your system would involve exploiting whatever services/components/plugins/modules exposed to the world. While WordPress/Joomla and other content management systems are gaining popularity, exploiting their web application or whatever insecure components it runs, is a tried and true attack vector.
Here is the list of latest reported Joomla Components which are vulnerable to SQL Injection –
- Joomla! Component Timetable Schedule 3.6.8
- Joomla! Component Article Factory Manager 4.3.9
- Joomla! Component AlphaIndex Dictionaries 1.0
- Joomla! Component Reverse Auction Factory 4.3.8
- Joomla! Component Collection Factory 4.1.9
- Joomla! Component Swap Factory 2.2.1
- Joomla! Component Social Factory 3.8.3
- Joomla! Component Jobs Factory 2.0.4
- Joomla! Component Questions 1.4.3
- Joomla! Component Penny Auction Factory 2.0.4
- Joomla! Component Music Collection 3.0.3
- Joomla! Component Raffle Factory 3.5.2
- Joomla! Component Dutch Auction Factory 2.0.2
- Joomla! Component Auction Factory 4.5.5
- Joomla! Component Micro Deal Factory 2.4.0
- Joomla! Component AMGallery 1.2.3
Still a threat? Of course! It’s one of the most exploited vulnerabilities out there! Just take a look on the SQL Injection Vulnerability Exploitation and see for yourself that how you can dump the whole database and its tables.
We don’t think SQL Injection will ever become extinct. It arises from the fact that humans are writing programs, and humans are not perfect. And as long as we write code, with the deadline arriving at the horizon, we commit mistakes, and let open the door for SQL Injection.
As we already said, developers make mistakes, due to deadlines, or sometimes even lack of the knowledge. Therefore, the software should be tested from the security perspective during the development, before production stage, and even after production. Although there are many frameworks for different programming languages which has mechanism to prevent SQL injection attacks (ex: Microsoft’s Entity Framework), SQL injection is still a thing.
You can check out recently found SQL Injection vulnerabilities on Exploit DB if you search with the keyword ‘sql injection‘. In the list, you can find out that, even the popular and widely used frameworks and applications have SQL injection vulnerabilities.
At the end, escaping of input must be done in order to protect your queries form SQL Injection. Parametrized query libraries like PDO and ADODB use escaping, all they do is enforce this practice in a way that is implicitly secure. By constrast magic_quotes_gpc does NOT, this is fundamentally flawed approach to the problem.
Finally we just want to say one thing that It’s all about patience and methodologies. Hacking is not only about vulnerabilities and exploits. It sure does play a big part of the game though.
Google also released a very nice tool named “Skipfish” that scans your application for common security holes / attack patterns.
To familiarize yourself with common web security mitigation, you may also wish to explore this link.
For updates: We suggest doing a backup first with akeeba backup and then transferring the site to a test server. There you can do the upgrade/update of all the extensions/modules are working as expected. If all is fine, then upgrade the production site.
What If Your Joomla Website Hacked ?
The first step may be investigating where is the code is injected, which may help you to identify what the root clause is –
- If your web site get contents from database and the injected tag is retrieved as part of database content, probably your site has SQL injection flaw or other vulnerabilities that allow attackers to change the content there.
- If the tag in every PHP files, it means the attacker has access to your file system. Either he has access to your FTP or telnet or any other admin consoles, or your web site has vulnerabilities that allow attackers to modify/create files on the web site.
It may also be possible for your server to have vulnerabilities that allow such access from the attackers.
After you identified the root cause, fix it accordingly.
Here are some generic advises to help preventing the same from happening again:
- Review your web sites and server for vulnerabilities, either through code review, pen test or some automatic scans and fix them accordingly.
- Install update, hotfixes, security patches promptly. Keep it updated, updated, updated, updated…
- Assign proper folder permissions (read-write, read-only, no access) on the file systems and grant only necessary rights to users (min-privilege principle).
- Configuration files usually don’t require to be writable by the web server user. Normally they are writable by administrator only.
- Be cautious when using 3rd-party components (e.g. WordPress/Joomla plugins). Only use if you trust the publisher. Download only from main site. Remember to keep them up-to-dated too. Disable and remove them if necessary
- Restrict access to administrative consoles and services like FTP, Telnet, database administration consoles (e.g. phpMyAdmin) and etc. Assign good passwords for them. Best is don’t let anyone except authorized to access it (e.g. using IP restrictions set in Firewall or configurations, or hide it behind VPN)
- Database port should really be avoided to be accessible from Internet. There is only rare scenario that you will need this. Configure it to listen on the loop-back interface in most case…