Posts

Joomla! 3.6.4 – a security fix

A Joomla! 3.6.4 release containing a security fix will be published on Tuesday 25th October at approximately 14:00 UTC

Since this is a very important security fix, please be prepared to update your Joomla installation’s next Tuesday.

https://www.joomla.org/announcements/release-news/5677-important-security-announcement-pre-release-364.html

Joomla! 3.4.8 is now available

Joomla! 3.4.6 is now available

Joomla! 3.4.6 is now available. This is a security release for the 3.x series of Joomla which addresses a critical security vulnerability and 2 low level security vulnerabilities. We strongly recommend that you update your sites immediately.

Security Issues Fixed

  • High Priority – Core – Remote Code Execution (affecting Joomla 1.5 through 3.4.5) More information »
  • Low Priority – Core – CRSF Hardening (affecting Joomla 3.2.0 through 3.4.5) More information »
  • Low Priority – Core – Directory Traversal (affecting Joomla 3.4.0 through 3.4.5) More information »

Link: https://www.joomla.org/announcements/release-news/5641-joomla-3-4-6-released.html

Joomla Security Patch 3.4.5

Joomla! 3.4.5 is now available. This is a Joomla security patch for the 3.x series of Joomla which addresses a critical security vulnerability. We strongly recommend that you update your sites immediately. This release only contains the security fixes; no other changes have been made compared to the Joomla 3.4.4 release.

Security Issues Fixed:

  • High Priority – Core – SQL Injection (affecting Joomla 3.2 through 3.4.4) More information »
  • Medium Priority – Core – ACL Violations (affecting Joomla 3.2 through 3.4.4) More information »
  • Medium Priority – Core – ACL Violations (affecting Joomla 3.0 through 3.4.4) More information »

Link: www.joomla.org
Link to annoucement: Joomla! announcement 3.4.5 release.

Joomla Security Patch Pre-Announcement

Joomla has issues a pre-announcement for the Joomla 3.4.5 release containing a security fix that will be published on Thursday 22nd October at approximately 14:00 UTC

The Joomla security team (JSST) has been informed of a critical security issue in the Joomla core.
Since this is a very important security fix, please be prepared to update your Joomla installations next Thursday.
Until the release is out, please understand that we cannot provide any further information.

Link: www.joomla.org

Joomla and WordPress Brute Force attacks

If you are using Joomla or WordPress  there is a high chance your site will be under attack now or in the near feature by a so called Brute Force Attacks.
The attacker tries to gain access to your application by guessing the password; often because users have the default username or simple passwords.

But such an attack has also an impact on the system resources, when an attack comes from an other infected server and multiple of these infectes sites are going to target your site together it actually works a bit like a ddos ; because all resources of your account get used and your account will be slowed down, with very large attacks it might even affect server performance in general.

While we take many precautions against such an attack the best way to counter such an attack is to install a script which stops IP after (some) failed login.
As well for WordPress and Joomla there are such a scripts. If you do not use WordPress or Joomla please check with your software developer if a login limit exists or can be implemented.

WordPress – We have seen good results with the following plugins:

Bruteprotect: https://wordpress.org/plugins/bruteprotect/
Wordfence: https://wordpress.org/plugins/wordfence/

Joomla – While no direct experience the following plugin should help:

Brute Force Stop: http://extensions.joomla.org/extensions/access-a-security/site-security/login-protection/22982
an other plugin one of our customers recommend is: https://www.akeebabackup.com/products/admin-tools.html

It is possible in some cases to protect the /wp-admin/ (wordpress) or /administrator/ (joomla) directory with a .htaccess authentication script; as .htaccess functions on a server level our WAF (Web Application Firewall) will work as a login limitter as block IPs which fail.