Tuesday, 25 October 2016 16:18

Security Issue? Joomla 3.6.4 /administrator panel background color changed

Written by 
Security Issue?  Joomla 3.6.4 /administrator panel background color changed

I noticed that after installing the Joomla 3.6.4 security patch, the background color of the /administrator control panel login screen changed.  It seems that with today's release of Joomla 3.6.4, and ease of which the exploit can be executed, it's really bad timing to make it so easy for hackers to see whether or not a site has been patched.  This latest Joomla exploit allows for a person to do two things:

  1. create an account for themselves in your Joomla user manager, even if you've turned this option OFF in the settings
  2. when creating that account in step one, they are able to assign it "administrator" rights

Meaning... once they sign in with it, they have full access to your admin panel.  I have already reached out to This email address is being protected from spambots. You need JavaScript enabled to view it. about this issue and will report back with any response.

[edit]
Their Response:
The login page was refreshed at 3.5.0, it is also configurable via the admin interface.  This alone wouldn't be a giveaway.
Joomla! Security Strike Team
[/edit]

Compounding the issue, the Joomla team revealed this issue four (4) days ago, on October 21.  (This gave hackers plenty of time to get ready...)

This could have been be partially mitigated by adding extra protection (at the server level) to the /administrator/ directory.  This would typically involve adding an IP-based firewall or an extra password to the directory.  If you're interested in having your site examined for potential security issues - whether it is Joomla, Wordpress, Drupal, or another platform - contact us today.

Read 2073 times Last modified on Thursday, 15 February 2018 15:48

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.