Hacktive Security Specialist Alessandro Groppo identified a dangerous 0-day vulnerability in Joomla CMS. According to him, some versions of the system allow introduction of a third-party PHP injection, which can lead to the execution of malicious code on the web resource server.
The expert uploaded a detailed description of the bug and published an exploit that adds a backdoor to the configuration.php file.
During one of our research activities, we discovered an undisclosed PHP Object Injection on Joomla CMS from the release 3.0.0 to the 3.4.6 (releases from 2012 to December 2015) that leads to Remote Code Execution. A PHP Object Injection was discovered in the wild and patched in the 3.4.5 version (CVE-2015-8562), however, this vulnerability depends also a lot on the PHP release installed becoming not really trusty for all environments”, — writes Alessandro Groppo.
The vulnerability is similar to the bug CVE-2015-8562, closed by developers four years ago, but does not depend on the version of PHP used by the hosting. The exploitation of the error allows many attack scenarios, one of which uses the CMS authorization form to implement the payload.
Read also: Magecart expands infrastructure and threatens thousands of sites
As Groppo explained, the problem related to incorrect deserialization of objects during read and write operations in the MySQL database. Using this drawback, an attacker can, for example, cause an overflow of the username field during authorization, which will allow him to run a malicious script within the system. The error is present in Joomla up to version 3.4.7, where developers began to encrypt sessions when transferring to the database. At the same time, the CMS assembly relevant at the time of publication is 3.9.11.
CMS versions released from 2012 to 2015 are at risk, which significantly reduces the risk of a bug.
However, many owners of web resources do not update Joomla due to compatibility issues with plugins and themes. As with CVE-2015-8562, attackers can launch attacks on unpatched systems to steal information or seize control of a web resource”, – notes Alessandro Groppo.
This spring, a serious bug was found in the Joomla mail server that allowed cybercriminals to send letters from addresses belonging to a vulnerable site. The problem associated with the incorrect processing of HTTP headers allowed the encrypted PHP object to be embedded in the User-Agent field. Information security experts learned about the error after the attackers took it into service – on one of the servers with CMS installed they found traces of a hacker attack with the alias Alarg53.
Leave a Comment