Attackers Can Hijack Joomla Sites Via User-Agent Strings

An anonymous reader writes: Joomla just issued a emergency security patch after Sucuri observed a large number of attacks on Joomla sites using malicious user-agent strings. Attackers were adding malicious code to custom-made user-agent strings, which were not sanitized and stored in the database. These allowed attackers to trigger remote code on the site and grant them a backdoor into targeted websites. Even if Joomla doesn't care about older versions, the bug was so critical that it issued security patches even for EOL versions going back to 1.5.x.