A critical remote code execution(RCE) vulnerability was discovered in Joomla! websites. This is making a lot of noise because of the following reasons.
- It appears that attackers started exploiting this even before the disclosure(0-day).
- It is very easy to exploit this vulnerability.
- Almost all the versions of Joomla are vulnerable under with certain conditions.
At its core, this is an input validation issue. An attacker can inject arbitrary input using the X-FORWARDED-FOR or User-Agent header to attack this vulnerabilty without showing up in webserver logs! The only way to detect this is with Snort or Network IDS/IPS capabilities and yes, they can achieve code execution.
All versions of the Joomla! below 3.4.6 are known to be vulnerable. But exploitation is possible with PHP versions below 5.5.29, 5.6.13 and below 5.5.