Slashdot Mirror

← Back to Stories (view on slashdot.org)

Attackers Can Hijack Joomla Sites Via User-Agent Strings (softpedia.com)

Posted by samzenpus on from the protect-ya-neck dept.

An anonymous reader writes: Joomla just issued a emergency security patch after Sucuri observed a large number of attacks on Joomla sites using malicious user-agent strings. Attackers were adding malicious code to custom-made user-agent strings, which were not sanitized and stored in the database. These allowed attackers to trigger remote code on the site and grant them a backdoor into targeted websites. Even if Joomla doesn't care about older versions, the bug was so critical that it issued security patches even for EOL versions going back to 1.5.x.

7 of 66 comments (clear)

  1. I've been wondering which product was the target.. by QuietLagoon · · Score: 2

    I've been seeing really strange agent strings for a few weeks in my web server log files. I was wondering what the target was.

  2. It's 2015 already, sanitize your damn inputs! by Anonymous Coward · · Score: 4, Insightful

    It's been 15 years since the explosive growth of the Internet started, dammit. Any "programmer" in this day and age who doesn't sanitize inputs for absolutely every parameter from an service facing the internet should be barred from using a compiler permanently.

  3. WHY?!? by Aethedor · · Score: 4, Insightful

    Seriously, how can this still be possible?? Don't developers ever learn? Use / develop a secure database driver and let ALL your database queries go though that driver. And when I say ALL, I actually mean ALL!!! We've had SQL injections 20 years ago. There is no excuse to have your application vulnerable for this ancient shit! Really.

    I know that my rant tells nothing new, but as a security professional, this shit is really starting to annoy me. I see this shit every week. And because of developers not being able to write secure code, companies get hacked, personal information gets stolen, governments act tough and come up with all sorts of security theater bullshit which results in my privacy getting invaded. So, yes, incompetent developers fucking their shit affects me personally! I really hate incompetent developers...

    --
    It doesn't have to be like this. All we need to do is make sure we keep talking.
    1. Re:WHY?!? by DarkTempes · · Score: 2

      Except I don't think this is actually an SQL injection and so you could have the most secure database driver with prepared statements and all of that jazz and it probably wouldn't matter.

      It looks like (the details I've read are pretty slim) it's actually a php object injection. Apparently, this has happened to Joomla before.

      Basically it sounds like the useragent string is stored in the database correctly (but unverified and/or unsanitized) and then other code is pulling it from the database and trusting that it is a safe string when it's not. It's actually a string of a serialized php object. But they trust their database so they unserialize it and Bad Things(TM).
      I could have that wrong, I haven't coded PHP in almost a decade.

  4. Re:Another case of "most stupid coder possible"... by emiliano.heyns · · Score: 2

    Really, this is old, well known, easy to avoid. People that make mistakes like this have no business programing. The real problem is very likely though that management hired the cheapest people it could get.

    It's an open source project. There's no hiring people involved. Read up before you comment.

  5. both, because bad guys are bad and libs exist by raymorris · · Score: 2

    Parameterized queries can certainly help reduce injections, and they should be used.

    Also, if the quantity field is supposed to be in the range 1-50, don't accept quantity = "1 ;`exec rm -rf /`"
    That's obviously an attack and nothing good is going to come from that transaction, so terminally cleanly but quickly. You don't need to store an order for that number of tickets.

    A couple of significant security issues have been related to later statistical analysis of the data. The real-time application handled it fine by parameterizing it or escaping it properly, but later summary statistics were generated by a tool that was exploited by specially-crafted strings. Why allow that? You know the input is crap, so why knowingly send crap to other libraries or systems? There's no need to "correctly" send hack attempts down the line. If it's supposed to be a hostname, but it contains backticks and semicolons, stop it right there. No need to pass that to getbyhostbyname() or anywhere else, other than your security monitoring systems.

  6. Re:use parameterized statements you moron by stoborrobots · · Score: 2

    Who said anything about databases?

    You need to sanitize the inputs before you:

    • Send them back to the user in html.
    • Pass them off to another program
    • Send them to your bank or credit card processor
    • Print them onto the worklist for the staff in the factory
    • Send the coordinates to the missile guidance system

    I don't care about your fucking database and your fucking parametrized statements, you still need to verify that your inputs are sane.

    --
    "Go to CNN [for a] spell-checked, fact-checked summary" -- CmdrTaco