Serious Joomla Vulnerability found but we've got you Covered!

security

It is mid-summer now but security issues take no vacation. Actually they find the most inappropriate time to appear and make our lives more interesting, to say the least. On Thursday, 25 July the Joomla! Project announced the availability of Joomla 3.1.4/2.5.13 and many users upgraded their websites because the new releases provide tons of useful new features and bug fixes. One will think: job well done, it is time to hit the beach! But… On Thursday, 01 August, the Joomla! Project surprisingly  announced the immediate availability of Joomla! 3.1.5/2.5.14. Apparently not much time to sip exotic summer cocktails was allowed. The reason for this extremely short period between the two versions was that a critical level security issue was discovered just after the previous release and it had the potential to affect all Joomla! CMS versions. Yes, that’s correct  – we are talking about all the Joomla! sites out there. All versions are affected – 1.5, 1.6, 1.7, 2.5 and 3. Sounds scary, right? Not if you’re hosted on SiteGround servers!

Vulnerability Explained

The vulnerability allows Joomla websites to be hacked through the Media Manager. To exploit the vulnerability the attacker should find a Joomla site that allows access to the media manager to its registered users. Then s/he will register an account and use the vulnerability to upload a malicious shell script to this site through the Media Manager. After that the attacker can do pretty much anything – edit your files, access your database, delete information, etc.

How did we resolve the issue for all of our clients?

Step 1: We applied a server level solution

As soon as the vulnerability was announced our security team started to develop a server level patch. This is our standard practice when there is an issue that can affect a large number of installations. The idea is to create a layer of protection to all Joomla websites hosted by SiteGround regardless of their current version. We analyzed carefully the vulnerability, the exploit and the payload and came up with ingenious solution that blocks the upload of malicious files through the Media Manager on a server level.

Step 2: Upgrading Joomla 2.5 and 3

Our Joomla! Auto Update system upgraded the 2.5.x/3.x applications on our servers to the new versions 2.5.14 and 3.1.5. These were released very timely by the Joomla organization and are no longer vulnerable. Once again the Auto Update system we have developed secured our customers’ websites without any effort on their side.

Step 3: Patching Joomla 1.5

As Joomla 1.5 is no longer officially supported, there was no upgrade available for it. However, the Joomla team has released a security patch that should be applied manually and we went the extra mile and patched all the old Joomla versions hosted on our servers manually ourselves.

What to do if you’re not hosted by SiteGround?

The official solution for Joomla! 2.5.x and 3.x sites is to upgrade your application to the latest stable releases – 2.5.14 and 3.1.5. Joomla! 1.5.x users should download this Joomla patch, extract the .zip file and manually upload the enclosed files into place.

All in all, if you’re a SiteGround customer you can sit back and enjoy your summer vacation, we got you covered! Otherwise, you will have to put down your cocktail and patch your Joomla! site before it is too late. Of course, you can always transfer to us.

author avatar
Daniel Kanchev

Enterprise Cloud Solutions Architect

My challenging job is closely related to all kinds of Free and Open-Source Software products (some of my favorites are WordPress, Joomla!, Magento, Varnish and Apache mod_security). As a Web security and performance freak I am always hyper focused on solving all kinds of issues and improving our services.

Comments ( 10 )

author avatar

TB

Aug 05, 2013

Thanks Siteground for being proactive with this - much appreciated. T.

Reply
author avatar

Matt

Aug 06, 2013

It's great to see you being proactive about security. However, it needs to clarified that no one should be using versions 1.6, 1.7. Those versions are STS releases and are no longer supported and insecure.

Reply
author avatar

Richard

Aug 06, 2013

That's great to hear. I like the fact a problem is fixed before I know about it, one less thing to stress about. So, how to make Siteground better still? how about the same 'response' to Opencart? wow, automated bug fixing for my Two favorite programmes, that's 2 things less to stress about :)

Reply
author avatar

Kevin

Aug 06, 2013

Thanks SG! Wasn't even aware there was a vulnerability. You guys rock!

Reply
author avatar

Jennifer

Aug 06, 2013

Thanks for staying on top of it. I have Joomla 3 but I have disabled the auto update because of my template compatibility. Do I need to change anything? Thanks!

Reply
author avatar

Daniel Kanchev Siteground Team

Aug 07, 2013

Hi Jennifer, I checked your Joomla! CMS site and I can confirm that it is not vulnerable - our server level protection rule got you covered. However, you should really upgrade your site to the latest stable Joomla! release (3.1.5) because it also offers many new features. If you have any questions regarding the upgrade you can send me an email to daniel.k@siteground.com. I will be glad to assist you and check your template.

Reply
author avatar

Moe

Aug 14, 2013

Makes you feel lucky to have such a great hosting provider!

Reply
author avatar

akin

Aug 14, 2013

Siteground is the best ISP in the world!. i can actually happily sleep and be rest assured my clients websites are up 24/7. Thank you.

Reply
author avatar

Ceeland Gregory

Aug 27, 2013

Hi I am using joomla 1.5.26. Could you tell me how to upgrade to latest version 3.15? Thank you

Reply
author avatar

Hristo Siteground Team

Aug 27, 2013

Hi, It's more a migration rather than upgrade. Check out our tutorials on how to upgrade Joomla 1.5x to Joomla 2.5 and then how to upgrade from 2.5 to 3 for detailed instructions :)

Reply

Start discussion