Zero-day vulnerability in Joomla!

Remote PHP code execution
CVE-2015-8562

The vulnerability was used to compromise vulnerable websites for 16000 (sometimes - 20000) times per day.

Vulnerability details

Advisory: SB2015121401 - Remote PHP code execution in Joomla!

Vulnerable component: Joomla!

CVE-ID: CVE-2015-8562

CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C

CWE-ID: CWE-94 - Improper Control of Generation of Code ('Code Injection')

Description:

The vulnerability allows a remote attacker to execute arbitrary PHP code on the target system.

The vulnerability exists due to insufficient filtration of HTTP User-Agent header and filter-search HTTP POST parameter before storing them into database. A remote unauthenticated attacker can permanently inject and execute arbitrary PHP code on the target system with privileges of the web server.

Successful exploitation of this vulnerability will allow a remote attacker to gain complete control over the vulnerable web application and execute arbitrary PHP code on the target system.

Note: this is a zero-day vulnerability and it is being exploited in the wild.

Public Exploits:

- Joomla! 1.5 < 3.4.5 - Object Injection 'x-forwarded-for' Header Remote Code Execution [Exploit-DB]

- Joomla! 1.5 < 3.4.5 - Object Injection Remote Command Execution [Exploit-DB]

External links:

https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.h...
https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-0-Day-Exploited-In-the-Wild-(CVE-2015-856...
https://www.masergy.com/blog/joomla-remote-code-execution-vulnerability-cve-2015-8562
http://securityaffairs.co/wordpress/43108/cyber-crime/cve-2015-8562-joomla-flaw.html
https://www.liquidweb.com/kb/protecting-joomla-sites-against-cve-2015-8562/
https://security.berkeley.edu/news/joomla-core-150-345-remote-code-execution-cve-2015-8562
http://www.webhostingtalk.com/showthread.php?t=1536679
http://jaitsec.blogspot.com/2015/12/testing-joomla-for-cve-2015-8562.html
http://www.securityweek.com/vulnerable-joomla-servers-see-16000-daily-attacks
http://blogs.quickheal.com/joomla-exploit-cve-2015-8562-still-at-large/
http://news.softpedia.com/news/latest-joomla-vulnerability-targeted-by-attackers-16-600-times-per-da...


About zero-day vulnerabilities

Zero-day vulnerability is an undisclosed vulnerability in software that hackers can exploit to compromise computer programs, gain unauthorized access to sensitive data, penetrate networks, etc. We consider vulnerability a zero-day when there is no solution provided from software vendor and the vulnerability is being actively exploited by malicious actors.

Zero-day candidate is a potential zero-day vulnerability in software which might have been used in targeted attacks, however there is no evidence to support this suggestion.