Joomla critical patch ...upgrade to 3.4.6

[BruceLee]

Hi everybody,

for your info. and a question to atomicorp if ASL covers this.
Thanks a lot.

[20151201] - Core - Remote Code Execution Vulnerability

Project: Joomla!
SubProject: CMS
Severity: High
Versions: 1.5.0 through 3.4.5
Exploit type: Remote Code Execution
Reported Date: 2015-December-13
Fixed Date: 2015-December-14
CVE Numbers: requested

Description:
Browser information is not filtered properly while saving the session values into the database which leads to a Remote Code Execution vulnerability.

Affected Installs:
Joomla! CMS versions 1.5.0 through 3.4.5

Solution:
Upgrade to version 3.4.6

SOURCE:
https://developer.joomla.org/security-c ... ility.html

Patch in branch 3.X:
https://github.com/joomla/joomla-cms/releases/tag/3.4.6
Patches for EOL versions:
https://docs.joomla.org/Security_hotfix ... L_versions

[mikeshinn]

Yes ASL, and the modsecurity rules, already protect against this attack. Both generically (there are rules for malicious payloads in the UA and other fields), as well as specific JITP rules for this vulnerability in Joomla.

[BruceLee]

JEEHAAAA. Thanks like always.

[awsumco]

Hi, mikeshinn

Out of curiosity which mod_sec rule config covers the said Joomla vulnerability, i just want to double check I am in fact covered as I only used the ASL mod_sec rules subscription ?

[mikeshinn]

337106 and 347195