You are here

Home › Joomla Remote Code Execution Vulnerability

Joomla Remote Code Execution Vulnerability

Submitted on 16. December 2015 - 17:40 by rischi.
Last update on 16. December 2015 - 17:59.
IDs: 
CVE-2015-8562
Keywords: 
joomla, php, user-agent
Description: 

Joomla version 1.5.0 through 3.4.5 is affected by a remote PHP code execution vulnerability [1]. The vulnerability occurs because Joomla stores the HTTP user agent header value in the database without input validation or proper escaping. This allows an attacker to inject PHP code into the database which can be executed later.

Public available exploits are blocked by Airlock WAF because of characters outside the printable ASCII range in the attack payload (Deny Rule SAN_030b). It may be possible to exploit the vulnerability without such special characters. See resolution if you are running an affected Joomla on a back-end system.

Resolution: 

We recommend to update Joomla immediately to version 3.4.6. If this is not possible, a virtual patch can be implemented on Airlock WAF to prevent exploitation of the vulnerability. To do this create the following Deny Rule and enable the rule on all affected mappings.

Header name pattern:

User-Agent

Case-sensitive = OFF, Invert = OFF
Header value pattern:

}

Case-sensitive = ON, Invert = OFF
Component: 
Airlock
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Airlock protects, requires changes in configuration
Reference: 
[1] Joomla! Developer Network - [20151201] - Core - Remote Code Execution Vulnerability
© Ergon Informatik AG