Patched finally issued following difficult triage and disclosure process
Security researchers have revealed the details of two vulnerabilities in Joomla – the popular content management system – which, if chained together, could be used to achieve full system compromise.
The two vulnerabilities – a password reset vulnerability and a stored cross-site scripting (XSS) flaw – were both discovered by security researchers at Fortbridge and responsibly disclosed to Joomla’s developers in February and March, respectively.
After some delays, Joomla released a patch for the XSS vulnerability with version 3.9.2 of the CMS (released in May). The (arguably less serious) password reset vulnerability will be resolved with a “trusted_hosts” configuration, Joomla’s developers told Fortbridge.
The two vulnerabilities in Joomla were both high severity and “when chained together they allow an attacker to take over a Joomla website completely”, Fortbridge’s Adrian Tiron told The Daily Swig.
“Once the attacker has full access to the Joomla website, [they] can upload a php shell which will allow [them] to execute commands on the server,” Tiron warned.
The first vulnerability allows the attacker to reset an administrator’s password.
Tiron explained: “The attacker triggers the password reset process and can manipulate the password reset link to point to the attacker’s server where [they will] capture the victim’s token and reset [their] password once the victim clicks on the link, or the link is fetched by some AV/EDR [anti-virus/ endpoint detection and response] scanning solution.
“Once the attacker was able to reset the admin’s password an obtained admin privileges, [they] use the second vulnerability, a stored XSS, to target the ‘Super Admin’ user.”
The root cause of the second flaw is that Joomla’s developers used a blocklist to block extensions, but forgot to block .html, according to Fortbridge.
The Daily Swig invited Joomla to comment on these findings but we’re yet to hear back. We’ll update this story as and when more information comes to hand.
Joomla is one of the most popular CMS platforms with more than 1.5 million installations worldwide. Fortbridge came across the bugs it discovered in the platform during a penetration testing exercise.
Beyond the significance of the findings in their own right they offer lessons to other developers, according to Fortbridge’s Tiron.
For one thing the sored XSS flaw would have been preventable through the use of allowlists rather than blocklists. Secondly avoid making password reset links using $_SERVER[‘HTTP_HOST’] / $_SERVER[‘SERVER_NAME’], because these “variables are actually user input”, Tiron advised.