In the latest developments, security experts have detected two vulnerabilities within Joomla CMS that can be exploited to critically target and attack a network if combined together.
Joomla CMS vulnerabilities detected:
Joomla is a free and open-source content management system (CMS) for publishing web content on websites. Web content applications include discussion forums, photo galleries, e-Commerce, and user communities, and numerous other web-based applications. The system has reportedly more than 1.5 million installations.
The two vulnerabilities within Joomla CMS were detected by security researchers at security organization Fortbridge and have identified for having the potential to critically compromise networks.
Out of the two vulnerabilities, one is identified as a password reset flaw while the other is an XSS i.e cross-site scripting vulnerability that can generate privilege escalation attacks.
“Full compromise is a no-brainer really. Most CMSs support the capability of uploading custom themes/plug-ins, etc.,” notes Fortbridge. “We wrote a very simple custom plug-in which gave us remote code execution. This is for proof of concept purposes only and should not be used as such in a real environment.”
Exploitation framework of Joomla CMS performed by researchers:
Detailing the exploitation framework of the Joomla CMS vulnerabilities, the security researchers provided that there are two primary attack scenarios that can be traced.
The first one would be a Host header poisoning attack scenario where the threat actors who have abused the password reset security flaw can utilize this scheme to deploy a host header poisoning attack. This can lead to the threat actors altering or modifying the host header used to specify the domain name before it reaches the intended back-end unit.
The second exploitation framework involves a privilege escalation attack that can be conducted by configuring the admin user’s account that may have been infiltrated using the password reset flaw.
To demonstrate this, the researchers subsequently exploited the XSS vulnerability by uploading malicious content to the targeted website.
It was found that by subsequently delivering the XSS payload to the admin account or embedding the link in the website articles or the comments sections in the Joomla CMS, the Fortbridge researchers were able to deploy a successful privilege escalation attack.
The security organization, Fortbridge had reportedly notified Joomla regarding the critical exploitable Joomla CMS vulnerabilities back in February and notes that the company released security patches for them in May.