The hack is dead-easy

Last week, the day after the Joomla upgrade was made available, we incidently organized a Joomla Security seminar together with our friends of Perfect Web Team and we were able to show how the hack was made. It actually took only few seconds to hack a fresh Joomla 3.4.4 site via the SQL injection exploit and it showed the audience how easy it was. Oh, and the seminar was great by the way :)

If no security counter measures are taken, hacking an unpatched Joomla 3 site is dead-easy. Also, hackers will be able to script the attack (I know I was able to script it), so you can also expect a vulnerable Joomla site to be hacked sooner or later.

Fixing it is dead-easy as well

Fixing the security hole is also really easy: Simply upgrade to Joomla 3.4.5 and you are done. If you are using Joomla 3.1, you are safe from this specific exploit. However, you also suffer from numerous other security issues, so you should still upgrade to Joomla 3.4.5. If you are using Joomla 2.5, stop whatever you are doing with maintaining that site - do not add extensions, or customize the design again. Instead, save up money to upgrade that site to Joomla 3 as soon as possible. So in one word: Upgrade.

Adding additional security

There are lessons to be learned from this security incident. The Joomla core team is already busy with learning from it, we ourselves learned from it and so should you. Whenever a Joomla security incident of this magnitude comes up, we should all react - for instance, by upgrading.

However, it is also important to realize that this type of attack is so dangerous because requires little effort, but also abuses Joomla to inject a SQL database query via the URL (in other words: SQL injection). You can add extensions to Joomla that will prevent SQL injections to ever take place. We highly recommend you to install either of the following extensions:

• Akeeba Admin Tools Pro
• Marco Interceptor Plugin (aka SQL Injection Plugin)

There are more similar extensions, but we recommend the ones above because they are the most widespread and developed by really nice guys. We actually recommend you to install both. Why both? Simply because they do not conflict in functionality, they do not cause your site to slow down (considerably) and the one can work as a fail-safe for the other.

One final thought

One final thought: Make sure to upgrade all your Joomla site. For instance, we have only about 10 production sites we monitor. But additionally, we have about 30 development sites and 10 demo sites. We patched them all.

So if you have a testing copy of Joomla running somewhere, a demo, or simply an empty Joomla site: Make sure to upgrade them as well to Joomla 3.4.5. If they are hacked, you might not care that much about that site being lost, but a hacker will be able to do more stuff via that hacked site - so it is a matter of taking up responsibility for the sites that you own.