Joomla researchers patched a vulnerability that could have let hackers to steal passwords, including administrator credentials but which has flown under the radar for eight years.
The vulnerability was disclosed by researchers at German security firm RIPS Tech and was patched in the Joomla 3.8 version released last week, according to a 20 September blog post.
Researchers said an unprivileged remote attacker could efficiently extract all authentication credentials of the LDAP server that is used by the Joomla! Installation by exploiting a vulnerability in the login page. The attacker could then use the stolen credentials to login in to the administrator control panel and take over the Joomla installation and potentially the web server by uploading custom extensions for remote code execution.
“The lack of input sanitisation of the username credential used in the LDAP query allows an adversary to modify the result set of the LDAP search,” the blog said. “By using wildcard characters and by observing different authentication error messages, the attacker can literally search for login credentials progressively by sending a row of payloads that guess the credentials character by character.”
Those who use infected versions are encouraged to update as soon as possible.