A Vietnamese student from Hanoi University of Technology has found a serious security hole on Joomla which may harm 600,000 websites worldwide, including many Vietnamese.
The student is Pham Van Khanh, a senior at the Hanoi University of Technology, the leading technique and technology school in Vietnam. Khanh is an intern at Viettel, a military telecommunication group, one of the major technology players in Vietnam.
Tran Quang Chien from Security Daily, a website on information security, has confirmed that the hole on Joomla platform found by Khanh was made public on Exploit-DB.com, an organization specializing in updating security holes on July 16.
Joomla, written in PHP, is a free and open-source content management system (CMS) for publishing web content. It is built on a model–view–controller web application framework that can be used independently of the CMS.
The security hole found by Khanh was in Joomla’s latest version 4.1.7 of com_youtubegallery.
com_youtubegallery is Joomla’s video media management solution, which allows users to embed and manage videos from many different sources, such as youtube, Vimeo, Break.com and Own3d.tv into their websites.
The hole has been updated on Exploit-DB.com with the code CVE-2014-4960, i.e the 4960th hole of the year.
According to Tran Quang Chien, the hole is serious because it allows hackers to read the information in users’ accounts and steal administration accounts. In many cases, hackers may hijack websites.
Security Daily has affirmed that the hole exists in a lot of websites, about 40 websites in Vietnam and thousands in the world.
Also according to Chien, the bad news is that there has been no patch version for the hole, but the good news is all Vietnamese government websites are safe from the vulnerability.
Khanh said that he had not been intentionally looking for vulnerabilities of Joomla. He just accidentally found the hole when learning about internet security in his free time at weekend.
Khanh found the hole late last week. And this is the first time Khanh reported the error to the websites that regularly update vulnerabilities.
“I am going to learn more about internet security in the time to come,” Khanh said.
When asked if Khanh plans to work for Viettel after graduation, Khanh said he finds the working environment is very good there. He is not sure about his future job after he graduates, but he continues to work there as of now.