Vulnerability in Joomla CMS
The developers of Joomla! have reported the discovery of a vulnerability that allows attackers to manipulate and delete the contributions of users. An attacker only need to send manipulated HTTP requests to the server, but the attack is only possible if the XML-RPC Blogger API plug-in is enabled. The announcement comes two weeks after the release of version 1.5 of the open source content management system.
Recently, WordPress reported a similar flaw in its XML-RPC implementation, but in that case attackers required a valid user account. It is not yet clear whether this is also necessary in the case of Joomla. Experience has shown that whenever a security problem occurs with XML-RPC, many blogs, wikis, and content management systems are also affected. We can therefore expect to receive more security advisories from software vendors soon.
No official update has yet been released, but the developers say they are currently working on one that will remedy this vulnerability, and other flaws in the code. Until its release the Joomla team recommends users disable the vulnerable plug-in. The flaw has reportedly already been remedied in the subversion repository.
See also: * Security announcement for 1.5, security advisory at the Joomla! Team Blog