The Joomla security team have just released a new version of Joomla to patch a critical remote command execution vulnerability that affects all versions from 1.5 to 3.4. This is a serious vulnerability that can be easily exploited and is already in the wild.

I urge all Joomla! users to update Joomla now, no matter whether you are on Joomla 3.4.x or 1.5.x, updating to 3.4.6 is a must! More information on this Joomla vulnerability, and how to update, is available on the following links:

Mitigate Joomla Remote Code Execution (RCE) attacks

Protect your Joomla website before updating to 3.4.6.

As we can read in Sucuri’s report (linked above), attackers are doing an object injection via the HTTP user agent that leads to a full remote command execution. Using a .htaccess file, it should be possible to mitigate this attack vector using the following rewrite condition:

RewriteCond %{HTTP_USER_AGENT} .*\{.*\}.* [NC]
RewriteRule .* - [F,L]

This’ll deny all User-Agent strings containing accolades ({ ... }). There might be legitimate visitors blocked by this though. You can do the same for “JDatabaseDriverMysqli” and “O:[0-9]”, in one .htaccess:

RewriteCond %{HTTP_USER_AGENT} .*\{.*\}.* [NC, OR]
RewriteCond %{HTTP_USER_AGENT} .*JDatabaseDriverMysqli.* [NC, OR]
RewriteCond %{HTTP_USER_AGENT} .*O\:[0-9]+.* [NC]
RewriteRule .* - [F,L]

In your IIS web.config you can use:

<rule name="block UA" stopProcessing="true">
  <match url="(.*)" />
  <conditions logicalGrouping="MatchAny">
   <add input="{HTTP_USER_AGENT}" pattern="\{.*\}" negate="false" ignoreCase="true" />
   <add input="{HTTP_USER_AGENT}" pattern="JDatabaseDriverMysqli" negate="false" ignoreCase="true" />
   <add input="{HTTP_USER_AGENT}" pattern="O\:[0-9]+" negate="false" ignoreCase="true" />
  </conditions>
  <action type="CustomResponse"
   statusCode="403"
   statusReason="Forbidden: Access is denied."
   statusDescription="Access is denied!" />
</rule>

note: these rules are untested!

This may interest you:   MySQL sleep() attacks

Such mitigation measures should only be put in place in the period between hearing about the vulnerability and exploit and updating Joomla. It should never replace updating and securing Joomla!

Joomla EOL patches

Joomla provided patches for EOL (End Of Life) versions 1.5 and 2.5 of Joomla, see Security hotfixes for Joomla EOL versions.

If you use Joomla, update Joomla now!