-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2015.0117.2
        A number of vulnerabilities have been identified in Joomla!
                          prior to version 3.4.6.
                             18 December 2015

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Joomla!
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated      
                      Access Confidential Data        -- Remote/Unauthenticated      
                      Reduced Security                -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2015-8565 CVE-2015-8564 CVE-2015-8563
                      CVE-2015-8562  
Member content until: Thursday, January 14 2016

Comment: According to the Sucuri blog, active exploits against the 
         vulnerability in the 20151214 advisory have been on-going for the past 
         48 hours. [5]

Revision History:     December 18 2015: Added CVEs
                      December 15 2015: Initial Release

OVERVIEW

        A number of vulnerabilities have been identified in Joomla! prior to 
        version 3.4.6. [1 - 4]


IMPACT

        The vendor has provided the following details regarding these 
        vulnerabilities:
        
        CVE-2015-8562: "Browser information is not filtered properly while saving the 
        session values into the database which leads to a Remote Code 
        Execution vulnerability." [1]
        
        CVE-2015-8563: "Add additional CSRF hardening in com_templates." [2]
        
        CVE-2015-8564: "Failure to properly sanitise input data from the XML install file 
        located within an extension's package archive allows for directory 
        traversal." [3]
        
        CVE-2015-8565: "Inadequate filtering of request data leads to a Directory Traversal
        vulnerability." [4]


MITIGATION

        The vendor recommends updating to the latest version of Joomla! to 
        correct these issues. [1 - 4]


REFERENCES

        [1] [20151201] - Core - Remote Code Execution Vulnerability
            https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html

        [2] [20151202] - Core - CSRF Hardening
            https://developer.joomla.org/security-centre/633-20151214-core-csrf-hardening.html

        [3] [20151203] - Core - Directory Traversal
            https://developer.joomla.org/security-centre/634-20151214-core-directory-traversal.html

        [4] [20151204] - Core - Directory Traversal
            https://developer.joomla.org/security-centre/635-20151214-core-directory-traversal-2.html

        [5] Critical 0-day Remote Command Execution Vulnerability in Joomla
            https://blog.sucuri.net/2015/12/remote-command-execution-vulnerability-in-joomla.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVnNYPn6ZAP0PgtI9AQJkxRAAt+DJlb8Fh5tJ8Rf6jabJ65S0FstrqnbH
34X+jM05+skDPxEt5C7yjb2fW3qeWgZdoiErsrJaW0ev+PXcr/k8cNiss01DInBE
it9IQA6VxrFkadXc7NTfOLGOAdwTAqOYhCZfpkc+szAQjwP2zkq1ffeEiMCMRdWW
cIpTOlGgJjGhLmIetMJwRX6735QjZeN+SP0B17gC0UBQH4h8DIbYsTjjdQPwBdYz
nBY1I2zYKAjtUJ5Y72BFVR82iNPXsjbhmXXrhVZmk11hc4ucT93i6BTjXtjVdeQ/
v+CR0tzvESo3EflUFoNrT6f6KcKCG38uPxnVJhQ4XMFe0i54dytOOb/N1Drs4klG
mPk2z39zAVKxoqev2ONEtormjWAgpTc7SWpPkoUeyZ4dFup91+fONJ4LZm9kLHDN
OyiCJLF+PBypr7IZ08d4Ra4+diisA+XBwZ3TMNXO2JCDCGgksuy7cHHgsdf0n64Y
JTW85Q7IbE4wWgH8RBFrde+LPfF1G4eyJi5E9mHptZCWg1A5HrqlS/q11/m9E5hT
7dH7sKeLcApMf4BWwnv/igSkRrvtPvEbgVHyx1nVs+UxKzSqBa+tikmakFxtAGhU
hP8Q+cAxGAaJpgNluoYUulU6qxbyiK6slQnsmrPwrhplH+sUKSrqCZSfBVvREsyx
hsbfe0X3Wwc=
=jlXz
-----END PGP SIGNATURE-----