BOOK THIS SPACE FOR AD
ARTICLE ADJohn Leyden 08 June 2021 at 14:43 UTC
Patched finally issued following difficult triage and disclosure process
Security researchers have revealed the details of two vulnerabilities in Joomla – the popular content management system – which, if chained together, could be used to achieve full system compromise.
The two vulnerabilities – a password reset vulnerability and a stored cross-site scripting (XSS) flaw – were both discovered by security researchers at Fortbridge and responsibly disclosed to Joomla’s developers in February and March, respectively.
After some delays, Joomla released a patch for the XSS vulnerability with version 3.9.2 of the CMS (released in May). The (arguably less serious) password reset vulnerability will be resolved with a “trusted_hosts” configuration, Joomla’s developers told Fortbridge.
Combination attack
The two vulnerabilities in Joomla were both high severity and “when chained together they allow an attacker to take over a Joomla website completely”, Fortbridge’s Adrian Tiron told The Daily Swig.
“Once the attacker has full access to the Joomla website, [they] can upload a php shell which will allow [them] to execute commands on the server,” Tiron warned.
Catch up on the latest security research news
The first vulnerability allows the attacker to reset an administrator’s password.
Tiron explained: “The attacker triggers the password reset process and can manipulate the password reset link to point to the attacker’s server where [they will] capture the victim’s token and reset [their] password once the victim clicks on the link, or the link is fetched by some AV/EDR [anti-virus/ endpoint detection and response] scanning solution.
“Once the attacker was able to reset the admin’s password an obtained admin privileges, [they] use the second vulnerability, a stored XSS, to target the ‘Super Admin’ user.”
By escalating privileges to ‘Super Admin’, an attacker can gain full access and the ability to run a remote code execution (RCE) attack against a vulnerable Joomla CMS, Fortbridge warns.
The root cause of the second flaw is that Joomla’s developers used a blocklist to block extensions, but forgot to block .html, according to Fortbridge.
Wider lessons
Fortbridge published a detailed technical write-up of its finding this week. A related proof of concept code was posted on GitHub.
The Daily Swig invited Joomla to comment on these findings but we’re yet to hear back. We’ll update this story as and when more information comes to hand.
Joomla is one of the most popular CMS platforms with more than 1.5 million installations worldwide. Fortbridge came across the bugs it discovered in the platform during a penetration testing exercise.
Beyond the significance of the findings in their own right they offer lessons to other developers, according to Fortbridge’s Tiron.
For one thing the sored XSS flaw would have been preventable through the use of allowlists rather than blocklists. Secondly avoid making password reset links using $_SERVER['HTTP_HOST'] / $_SERVER['SERVER_NAME'], because these “variables are actually user input”, Tiron advised.
RELATED Critical zero-day vulnerabilities found in ‘unsupported’ Fedena school management software