Slashdot Mirror

← Back to Stories (view on slashdot.org)

Joomla SQL-Injection Flaw Affects Millions of Websites (trustwave.com)

Posted by Soulskill on from the still-a-thing-in-2015 dept.

An anonymous reader writes: Joomla has just issued a patch that fixes a SQL-injection vulnerability discovered by a researcher at Trustwave SpiderLabs. The flaw allowed malicious users to extract a browser cookie assigned to a site's administrator, giving them access to restricted parts of the server. The flaw first appeared in Joomla 3.2, released in November, 2013. An estimated 2.8 million websites rely on Joomla. The Joomla team and the researcher who found the flaw recommend an immediate update to version 3.4.5.

6 of 120 comments (clear)

  1. Re:php frameworks by Anonymous Coward · · Score: 2, Insightful

    Preventing SQL injection attacks is trivially easy with very modest understanding of what you're doing.

    Suggesting that they ditch one technology for another as a cure-all makes you part of the problem. Rather than try and understand what is going on, you'd rather have a language and/or framework handed to you that promises to solve everything. It is this mindset that results in pants-on-head stupid bugs to reach production.

  2. Re: php frameworks by behrooz0az · · Score: 3, Informative

    It's not easier.
    But objectively speaking, bad coders write bad code no matter what kind of database or programming language you give them. They mess up

    --
    Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
  3. Re:PHP frameworks like joomla by RyuuzakiTetsuya · · Score: 2

    You do know the reasons why PHP CMSes like Wordpress are ridiculously popular is that it is dead easy to find a host that already runs PHP and MySQL right? Most of those installs aren't owned by developers. They're owns by regular people.

    --
    Non impediti ratione cogitationus.
  4. Re:Today I Learned by Anonymous Coward · · Score: 3, Informative

    Joomla is not a company. The people developing it are volunteers.

  5. Re:Today I Learned by danhuby · · Score: 2

    Well said. And it only takes one mistake by one person to introduce a vulnerability. In hundreds of thousands of lines of code.

  6. Re:php frameworks by Aethedor · · Score: 2

    PHP has nothing to do with it. PHP is just as secure / insecure as any other language. It's the fact that PHP is easy to learn, easy to use and easy to deploy that attracts many people, including noobs. It's the noobs that cause the problems.

    To prove that PHP can be used to create a rock solid and secure website, take a look at the Banshee PHP Content Management Framework. I dare you to try it. You will be suprised by its security, flexibility, easiness and speed.

    --
    It doesn't have to be like this. All we need to do is make sure we keep talking.