Joomla exposes the high-risk 0-day vulnerability and can be remotely executed.

Joomla exposes the high-risk 0-day vulnerability and can be remotely executed.

The Joomla security team urgently released version 3.4.6 to fix a high-risk 0-day vulnerability. It is reported that the vulnerability has been detected for more than two days and has been circulating through other channels. You can imagine how many Joomla sites will be infiltrated.
After Joomla was found to have the Joomla 3.x SQL injection vulnerability analysis, it was recently revealed that the remote command execution 0day vulnerability exists. It is reported that the affected Joomla versions include from 1.5 to 3.4. Currently, the Joomla security team fixes the old CMS version by releasing new versions and security patches.
The vulnerability has been used for more than two days.
It is even more worrying that the vulnerability has been used for more than two days through various channels. We need to repeat it here: the vulnerability lasted for two days as a zero-day vulnerability before the patch was released.
Vulnerability Source: User proxy string
FreeBuf encyclopedia
First, let's take a look at the user proxy string:
The user proxy string is used to identify the browser version and provide certain system information details to the server of the website you visit. When you browse a webpage, your browser will send a user proxy string to the server of the website you visit. This string indicates which browser you are using, its version number, and details of your system, such as the operating system and its version. In this way, the browser will use this information to provide specific content that matches your browser.
In simple terms, the vulnerability allows attackers to implant code into the Joomla database and then execute it. The entry point of the malicious code is the user proxy string. From the exploitation of the vulnerability, we can know that the string is actually stored in the Joomla database, but no verification is performed to detect malicious code. Therefore, using custom applications and scripts, attackers can easily create Custom User proxy strings, implant malicious code in them, and broadcast forged user proxy strings. When the server receives the string and stores it in its own database, attackers can implant malicious code.
Vulnerability discovery
The Sucuri security team first detected the intrusion using the vulnerability. According to the reports, the first time the vulnerability was detected on, January 1, December 12. You can view the following log information:
2015 Dec 12 16:49:07 clienyhidden. access. log
Src IP: 74.3.170.33/CAN/Alberta
74.3.170.33--[12/Dec/2015: 16: 49: 40-0500] "GET/contact/HTTP/1.1" 403 5322 "http://google.com/"" "}__ test | O: 21: \ x22JDatabaseDriverMysqli \ x22: 3 :..
{S: 2: \ x22fc \ x22; O: 17: \ x22JSimplepieFactory \ x22: 0 :.. {} s: 21: \ x22 \ x5C0 \ x5C0 \ x5C0disconnectHandlers \ x22; a: 1: {I: 0; a: 2: {I: 0; O: 9: \ x22SimplePie \ x22: 5 :..
{S: 8: \ x22sanitize \ x22; O: 20: \ x22JDatabaseDriverMysql \ x22: 0 :{} s: 8: \ x22feed_url \ x22; s: 60 :..
The Sucuri security team monitored the intrusion attack and modified the payload to block its effective execution. However, the attacker quickly responded that he injected the object through the HTTP user proxy as a breakthrough, implement remote command execution. This vulnerability is discovered.
According to the Sucuri Security Team:
We will detect more vulnerability exploitation events, all of which come from the same IP address "74.3.170.33 ". As nearly vulnerabilities were exploited in, they attempted to connect "146.0.72.83" and "194.28.174.106.
Protect your site from now on
If you are a Joomla user, check your server logs immediately. Check whether there are requests from 146.0.72.83, 74.3.170.33, and 194.28.174.106. At the same time, you can search the "JDatabaseDriverMysqli" or "O:" keyword in the log. If you can find them, you can think that your website is no longer secure, immediate emergency response is required.

The Joomla security team urgently released version 3.4.6 to fix a high-risk 0-day vulnerability. It is reported that the vulnerability has been detected for more than two days and has been circulating through other channels. You can imagine how many Joomla sites will be infiltrated.
After Joomla was found to have the Joomla 3.x SQL injection vulnerability analysis, it was recently revealed that the remote command execution 0day vulnerability exists. It is reported that the affected Joomla versions include from 1.5 to 3.4. Currently, the Joomla security team fixes the old CMS version by releasing new versions and security patches.
The vulnerability has been used for more than two days.
It is even more worrying that the vulnerability has been used for more than two days through various channels. We need to repeat it here: the vulnerability lasted for two days as a zero-day vulnerability before the patch was released.
Vulnerability Source: User proxy string
FreeBuf encyclopedia
First, let's take a look at the user proxy string:
The user proxy string is used to identify the browser version and provide certain system information details to the server of the website you visit. When you browse a webpage, your browser will send a user proxy string to the server of the website you visit. This string indicates which browser you are using, its version number, and details of your system, such as the operating system and its version. In this way, the browser will use this information to provide specific content that matches your browser.
In simple terms, the vulnerability allows attackers to implant code into the Joomla database and then execute it. The entry point of the malicious code is the user proxy string. From the exploitation of the vulnerability, we can know that the string is actually stored in the Joomla database, but no verification is performed to detect malicious code. Therefore, using custom applications and scripts, attackers can easily create Custom User proxy strings, implant malicious code in them, and broadcast forged user proxy strings. When the server receives the string and stores it in its own database, attackers can implant malicious code.
Vulnerability discovery
The Sucuri security team first detected the intrusion using the vulnerability. According to the reports, the first time the vulnerability was detected on, January 1, December 12. You can view the following log information:
2015 Dec 12 16:49:07 clienyhidden. access. log
Src IP: 74.3.170.33/CAN/Alberta
74.3.170.33--[12/Dec/2015: 16: 49: 40-0500] "GET/contact/HTTP/1.1" 403 5322 "http://google.com/"" "}__ test | O: 21: \ x22JDatabaseDriverMysqli \ x22: 3 :..

{S: 2: \ x22fc \ x22; O: 17: \ x22JSimplepieFactory \ x22: 0 :.. {} s: 21: \ x22 \ x5C0 \ x5C0 \ x5C0disconnectHandlers \ x22; a: 1: {I: 0; a: 2: {I: 0; O: 9: \ x22SimplePie \ x22: 5 :..
{S: 8: \ x22sanitize \ x22; O: 20: \ x22JDatabaseDriverMysql \ x22: 0 :{} s: 8: \ x22feed_url \ x22; s: 60 :..
The Sucuri security team monitored the intrusion attack and modified the payload to block its effective execution. However, the attacker quickly responded that he injected the object through the HTTP user proxy as a breakthrough, implement remote command execution. This vulnerability is discovered.
According to the Sucuri Security Team:
We will detect more vulnerability exploitation events, all of which come from the same IP address "74.3.170.33 ". As nearly vulnerabilities were exploited in, they attempted to connect "146.0.72.83" and "194.28.174.106.
Protect your site from now on
If you are a Joomla user, check your server logs immediately. Check whether there are requests from 146.0.72.83, 74.3.170.33, and 194.28.174.106. At the same time, you can search the "JDatabaseDriverMysqli" or "O:" keyword in the log. If you can find them, you can think that your website is no longer secure, immediate emergency response is required.