There is a new zero day exploit in Joomla. Details are described in CVE-2015-8562.
We recommend that you update Joomla immediately, but if you cannot do that or cannot change the files on your backend servers, you can apply a fix in NGINX or NGINX Plus on the frontend.
Note: We strongly advise to update your Joomla installations as soon as possible, even if you patch your site today with this NGINX configuration.
You can read about the exploit and the patch at the Sucuri blog or Ars Technica, among others.
Identifying the Attack
The original attacks came from these IP addresses:
- On 12 December 2015 – 74.3.170.33
- On 13 December 2015 – 146.0.72.83 and 194.28.174.106
The attack is usually performed by modifying the User-Agent header and can be identified by these values inside the header: JDatabaseDriverMysqli and O: (capital letter O followed by the colon).
Joomla provides the following sample log entry from an attack.
Applying a Fix in NGINX or NGINX Plus
Use this snippet of NGINX configuration to block the original IP addresses and any request where the User-Agent header contains O: or JDatabaseDriverMysqli. To block additional IP addresses, add them to the list in the second map block.
For further information on restricting access to your site, see the NGINX Plus Admin Guide.
Post your experience in the Comments below.
About the Author
Related Blog Posts
Secure Your API Gateway with NGINX App Protect WAF
As monoliths move to microservices, applications are developed faster than ever. Speed is necessary to stay competitive and APIs sit at the front of these rapid modernization efforts. But the popularity of APIs for application modernization has significant implications for app security.
How Do I Choose? API Gateway vs. Ingress Controller vs. Service Mesh
When you need an API gateway in Kubernetes, how do you choose among API gateway vs. Ingress controller vs. service mesh? We guide you through the decision, with sample scenarios for north-south and east-west API traffic, plus use cases where an API gateway is the right tool.
Deploying NGINX as an API Gateway, Part 2: Protecting Backend Services
In the second post in our API gateway series, Liam shows you how to batten down the hatches on your API services. You can use rate limiting, access restrictions, request size limits, and request body validation to frustrate illegitimate or overly burdensome requests.
New Joomla Exploit CVE-2015-8562
Read about the new zero day exploit in Joomla and see the NGINX configuration for how to apply a fix in NGINX or NGINX Plus.
Why Do I See “Welcome to nginx!” on My Favorite Website?
The ‘Welcome to NGINX!’ page is presented when NGINX web server software is installed on a computer but has not finished configuring