Joomla! 3.8.3: Privilege Escalation via SQL Injection

Joomla! is one of the biggest players in the market of content management systems. Its easy installation, usage, and extensibility make it the second most used CMS on the web next to WordPress1. Last year, our PHP static code analysis solution unveiled a rare LDAP injection vulnerability within the 500,000 lines of Joomla! code. This LDAP injection vulnerability, explained in our previous blog post, allowed attackers to fully take over Joomla! <= v3.7.5 installations that rely on LDAP for authentication.

Recent updates to our analysis engine lead to the discovery of a new vulnerability in the Joomla! core affecting versions prior to 3.8.4. RIPS discovered a second-order SQL injection that could be used by attackers to leverage lower permissions and to escalate them into full admin permissions. This previously unknown vulnerability was disclosed to the Joomla! security team who released a security fix on the 30th of January 2018.

Who is affected

Installations with the following requirements are affected by this vulnerability:

  • Joomla! version <= 3.8.3 and >= 3.7.0

For exploitation an attacker needs to be authenticated to the Joomla! backend with a Manager account. This user group is available by default in Joomla! and has lower privileges than the Administrator or Super Users user groups.

Impact – What can an attacker do

An attacker exploiting this vulnerability can read arbitrary data from the database. This data can be used to further extend the permissions of the attacker. By gaining full administrative privileges she can take over the Joomla! installation by executing arbitrary PHP code.

In this blog post we will demonstrate how the RIPS static code analyzer was used to automatically find the previously unknown vulnerability. Further, we discuss the technical details behind the security issue.

To read the original article:

https://blog.ripstech.com/2018/joomla-privilege-escalation-via-sql-injection

 

Laisser un commentaire

Votre adresse de messagerie ne sera pas publiée. Les champs obligatoires sont indiqués avec *