Tuesday, 25 October 2016 11:18

Security Issue? Joomla 3.6.4 /administrator panel background color changed

Written by 
Security Issue?  Joomla 3.6.4 /administrator panel background color changed

I noticed that after installing the Joomla 3.6.4 security patch, the background color of the /administrator control panel login screen changed.  It seems that with today's release of Joomla 3.6.4, and ease of which the exploit can be executed, it's really bad timing to make it so easy for hackers to see whether or not a site has been patched.  This latest Joomla exploit allows for a person to do two things:

  1. create an account for themselves in your Joomla user manager, even if you've turned this option OFF in the settings
  2. when creating that account in step one, they are able to assign it "administrator" rights

Meaning... once they sign in with it, they have full access to your admin panel.  I have already reached out to This e-mail address is being protected from spambots. You need JavaScript enabled to view it about this issue and will report back with any response.

[edit]
Their Response:
The login page was refreshed at 3.5.0, it is also configurable via the admin interface.  This alone wouldn't be a giveaway.
Joomla! Security Strike Team
[/edit]

Compounding the issue, the Joomla team revealed this issue four (4) days ago, on October 21.  (This gave hackers plenty of time to get ready...)

This could have been be partially mitigated by adding extra protection (at the server level) to the /administrator/ directory.  This would typically involve adding an IP-based firewall or an extra password to the directory.  If you're interested in having your site examined for potential security issues - whether it is Joomla, Wordpress, Drupal, or another platform - contact us today.

Read 1743 times Last modified on Thursday, 15 February 2018 10:48

Leave a comment

Make sure you enter the (*) required information where indicated.
Basic HTML code is allowed.

Copyright © 2005-2018 Covington Creations, LLC | Legal