Specialist of the Italian company Hacktive Security discovered dangerous vulnerability that applies to all versions of Joomla from 3.0.0 to 3.4.6, released between September 2012 and December 2015. The researcher has already published in the public domain not only detailed information about the bug, but PoC exploit for him.
The expert writes that the vulnerability is very similar to an old problem CVE-2015-8562 and also allows the injection of PHP objects, which ultimately can lead to the remote execution of arbitrary code. So, the vulnerability can be exploited through the Joomla CMS login form, which will allow attackers to execute code on the site server.
Let me remind you that CVE-2015-8562 is a problem known to this day, discovered in 2015. Then she was actively abused by attackers, and sometimes experts recorded up to 20,000 attacks per day.
Fortunately, the fresh bug found by the Hacktive Security expert affects only sites running Joomla 3.x, while CVE-2015-8562 was dangerous for all versions of Joomla available at that time – 1.5.x, 2.x and 3.x . However, if the old bug only worked with PHP older than versions 5.4.45, 5.5.29 or 5.6.13, then the new vulnerability is completely independent of the environment.
Apparently, the Joomla developers fixed the problem discovered by Hacktive Security when they fixed the already mentioned vulnerability CVE-2015-8562. Thus, upgrading to Joomla 3.4.7 or later will be enough to prevent attacks (the current version of Joomla is 3.9.12). This can be useful for site owners who intentionally use outdated versions of CMS due to incompatibility of plugins and fearing that updates can lead to a “resource breakdown” (although this is by no means good practice).
An example of exploiting a vulnerability in practice can be seen below.