If you run a site powered by Jumura If you use a content management system and have not yet applied the critical update for this software released within the last two weeks, please take the time to do so: A trivial exploit could allow your users to maliciously It can inject certain content into your site and turn it into phishing or malware. A trap for visitors.
The patch released on July 31, 2013 applies to Joomla 2.5.13 Before 2.5.x version, and Joomla 3.1.4 Before 3.x version. Joomla credits bug discovery to his web security firm Versafe, said a simple exploit targeting the vulnerability is already in use. Version of Joomla 2.5.14 and 3.1.5. Fixed a serious bug that allowed non-privileged users to upload arbitrary .PHP files by simply adding a “.”. (period) to the end of the PHP filename.
In the 2.5.x and 3.x versions of Joomla, anyone with access to the Media Manager can upload and run arbitrary code simply by adding a period to the end of the filename they want to run. Unsupported version of Joomla (1.5.xand a quick Google search shows that there are tens of thousands of these 1.5. Not even.
According to Versafe CEO and co-founder Eyal Gruner57% of the thousands of phishing and malware attacks against the company’s 30+ EMEA financial clients in the first half of 2013 were hosted on Joomla-based websites.
“In recent months, we have seen significant exploits that allow fraudsters to use sites to host drive-by and phishing attacks,” said Gruner. He noted that the company discovered over 100 of his websites that were believed to have been hacked with this exploit. All of these websites hosted malicious Javascript components used by banking Trojans to automate online account fraud. Gruner said his company notified Joomla of the exploit in early June.
A simple attack like this against such a widely deployed content management system can be a powerful weapon for fraudsters who specialize in building website botnets.Earlier this month, a security company Arbor Networks Joomla hacked and word press site.Earlier this year, a website security company incapsula It claims to have tracked over 90,000 WordPress-powered websites that have been backdoored with malicious code.
