25 October 2016 Last updated on 30 April 2017

Today, October 25th, 2016 we released Admin Tools 4.0.2 to mitigate a zero day security issue affecting Joomla. Our team was aware of this issue and had prepared the fix a week in advance. We decided to coordinate our release with Joomla to keep every Joomla site owner safe.

Nature of the security issue

Due to a bug introduced in Joomla 3.4.4 an unauthenticated user can register a user account with any user group assignment they choose except Super User. This works even when you have turned off account registration.

In plain English, any random hacker can create an Administrator (but NOT Super User) account on your site. Using that they modify the content of your site but, with the default security options of Joomla in place, cannot install malicious extensions.

Which sites are affected?

Every site running Joomla! 3.4.4 to 3.6.3 (inclusive) is affected.

Should I be worried?

Yes, very much! This is a MAJOR security issue. While the attacker can't get directly Super User privileges they can get enough access to your site to either cause functional problems or introduce malicious Javascript code which can be used to hack you or your site's visitors. At the very least, a hacker could abuse your site with very negative impact to how it's perceived by search engines and visitors.

What Admin Tools does to protect you

Admin Tools comes with a feature called WAF Blacklist. This feature allows you to create custom rules which block requests based on a variety of factors. We have identified the attack vectors for this security issue and create a new rule. This rule is installed and activated automatically when you update to Admin Tools 4.0.2 or later.

For users of older versions, the WAF Blacklist rule is as follows:

Verb: – – –
Component: com_users
View: (leave blank)
Task: (leave blank)
Query Parameter: Select Partial in the dropdown. In the textbox enter user[groups]
RegEx for query content: (leave blank)

What to do if you're on PHP 5.3 and can update neither Joomla nor Admin Tools

Previous versions of Admin Tools did come with the WAF Blacklist feature and you can set up the aforementioned rule manually. However, please do note that the old versions of Admin Tools will not address some forms of the attack which use SEF URLs.

Our recommendation is to always run the latest PHP and Joomla! version. At the very least upgrade to PHP 5.6 and install the latest version of Admin Tools Professional to mitigate the issue. If you can't do any of that there is a very good chance that your site WILL be hacked within 8 to 48 hours from the time Joomla! 3.6.4 was released and the specifics of the security issue were made public.

What to do if you're on Joomla! 3.4.3 or earlier

There are good news and really bad news.

Good news: you are not affected by this particular security issue!

Bad news: your version of Joomla is way too old and has known security issues which are currently being exploited in the wild. The best course of action is to update to Joomla! 3.6.4 as soon as possible.