Dual vulnerability combo in popular CMS Joomla could lead to ‘full system compromise’

Patch issued for one flaw, however Joomla maintainers contest the severity of a second bug

UPDATED Security researchers have revealed the small print of two vulnerabilities in Joomla – the popular content material administration system – which, if chained collectively, they stated could be used to obtain full system compromise.

The two vulnerabilities – a password reset vulnerability and a saved cross-site scripting (XSS) flaw – have been each found by safety researchers at Fortbridge and responsibly disclosed to Joomla’s builders in February and March, respectively.

Specific configuration

After some delays, Joomla launched a patch for the XSS vulnerability with model 3.9.27 of the CMS (released in May). The password reset vulnerability – which Fortbridge warns stays unresolved – may be mitigated with a “trusted_hosts” configuration.

Fortbridge advises Joomla customers to set the “$live_site” variable in the configuration.php file as a workaround pending the supply of a patch for the password reset concern.

According to Joomla, nevertheless, this HOST-header injection vulnerability requires “extraordinarily particular circumstances” which can be “extraordinarily unusual” in the Joomla neighborhood in order to be exploitable.

Combination assault

The two vulnerabilities in Joomla are each excessive severity and “when chained collectively they permit an attacker to take over Joomla& web site fully”, Adrian Tiron, managing companion at Fortbridge, advised The Daily Swig.

“Once the attacker has full entry to the Joomla web site, [they] can add a PHP shell which can enable [them] to execute instructions on the server,” Tiron warned.

Catch up on the latest security research news

The password reset vulnerability permits the attacker to reset an administrator’s password.

Tiron defined: “The attacker triggers the password reset course of and may manipulate the password reset hyperlink to level to the attacker’s server the place [they will] seize the sufferer’s token and reset [their] password as soon as the sufferer clicks on the hyperlink, or the hyperlink is fetched by some AV/EDR [anti-virus/ endpoint detection and response] scanning resolution.

“Once the attacker was in a position to reset the admin’s password an obtained admin privileges, [they] use the second vulnerability, a stored XSS, to goal the ‘Super Admin’ consumer.”

By escalating privileges to ‘Super Admin’, an attacker can achieve full entry and the power to run a remote code execution (RCE) assault towards a susceptible Joomla CMS, Fortbridge warns.

In response to questions from The Daily Swig, Joomla’s builders supplied an in depth assertion disputing the alleged seriousness of the issues found by Fortbridge:

Fortbridge initially reported two separate points:

1. a so-called HOST-header injection

2. an assault vector that will finally lead to an XSS assault, whereas requiring the existence of a privileged however non-super admin account on the Joomla set up

The XSS vector has been fastened in Joomla 3.9.27.

The HOST-header injection requires extraordinarily particular circumstances to be exploitable, specifically an online server setup with both:

a) no vhosts being configured or

b) a Joomla set up residing in the configured default vhost

Such a setup is extraordinarily unusual in the Joomla neighborhood, because the overwhelming majority of web sites are operating in shared-hosting environments, the place these situations aren’t met.

However, even when a Joomla website is operating in such an surroundings, a Joomla website can already be protected by using the present $live_site configuration flag in the configuration.php.

Fortbridge, which is sticking by its findings, rejected options that the issues it discovered solely affected obscure configurations and have been subsequently troublesome to exploit.

“It requires that Joomla is put in on a devoted server to be particular (typically works in shared internet hosting),” in accordance to Fortbridge. “The huge Joomla web sites might be on devoted servers, thus they’re probably the most susceptible to this concern.”

Fortbridge’s Tiron concluded: “Just as a result of the 2 vulnerabilities require consumer interplay would not make it un-exploitable.”

Wider classes

Fortbridge printed a detailed technical write-up of its discovering this week. Related proof-of-concept code was posted on GitHub.

Joomla is likely one of the most popular  CMS platforms with greater than 1.5 million installations worldwide. Fortbridge got here throughout the bugs it found in the platform throughout a penetration testing train.

Beyond the importance of the findings in their very own proper they provide classes to different builders, in accordance to Fortbridge’s Tiron.

For one factor the saved XSS flaw would have been preventable via using allowlists moderately than blocklists. Secondly keep away from making password reset hyperlinks utilizing $_SERVER[‘HTTP_HOST’] / $_SERVER[‘SERVER_NAME’], as a result of these “variables are literally consumer enter”, Tiron suggested.

This story was up to date to make clear that the password reset concern stays unresolved, in accordance to safety researchers at Fortbridge, and to add remark from Joomla disputing the researchers’ findings

RELATED Critical zero-day vulnerabilities found in ‘unsupported’ Fedena school management software

Related Posts