Joomla version 1.5.0 through 3.4.5 is affected by a remote PHP code execution vulnerability [1]. The vulnerability occurs because Joomla stores the HTTP user agent header value in the database without input validation or proper escaping. This allows an attacker to inject PHP code into the database which can be executed later.
Public available exploits are blocked by Airlock WAF because of characters outside the printable ASCII range in the attack payload (Deny Rule SAN_030b). It may be possible to exploit the vulnerability without such special characters. See resolution if you are running an affected Joomla on a back-end system.
We recommend to update Joomla immediately to version 3.4.6. If this is not possible, a virtual patch can be implemented on Airlock WAF to prevent exploitation of the vulnerability. To do this create the following Deny Rule and enable the rule on all affected mappings.
Header name pattern:
User-Agent
}