Remote PHP code execution in Joomla!

1) Remote PHP code execution

EUVDB-ID: #VU157

Risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2015-8562

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.

The vulnerability exists due to insufficient filtration of HTTP User-Agent header and filter-search HTTP POST parameter before storing them into database. A remote unauthenticated attacker can permanently inject and execute arbitrary PHP code on the target system with privileges of the web server.

Successful exploitation of this vulnerability will allow a remote attacker to gain complete control over the vulnerable web application and execute arbitrary PHP code on the target system.

Note: this is a zero-day vulnerability and it is being exploited in the wild.

Mitigation

Update your Joomla! installation to version 3.4.6.

Vulnerable software versions

Joomla!: 1.5 - 3.4.5

CPE2.3

• cpe:2.3:a:joomla:joomla:1.5.26:*:*:*:*:*:*:*
• cpe:2.3:a:joomla:joomla:1.6.6:*:*:*:*:*:*:*
• cpe:2.3:a:joomla:joomla:1.7.2:*:*:*:*:*:*:*
• cpe:2.3:a:joomla:joomla:2.5.28:*:*:*:*:*:*:*
• cpe:2.3:a:joomla:joomla:3.0.3:*:*:*:*:*:*:*
• cpe:2.3:a:joomla:joomla:3.1.4:*:*:*:*:*:*:*
• cpe:2.3:a:joomla:joomla:3.2.4:*:*:*:*:*:*:*
• cpe:2.3:a:joomla:joomla:3.3.4:*:*:*:*:*:*:*
• cpe:2.3:a:joomla:joomla:3.4.5:*:*:*:*:*:*:*

External links

https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.h...
https://www.cybersecurity-help.cz/blog/30.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.