Joomla on Tuesday patched a critical vulnerability that had lingered in the content management system for eight years. It’s unknown whether the bug had been publicly exploited before it was privately reported in July, but an attacker could have leveraged the flaw to steal administrator login credentials.
The fix was included in the version 3.8 release this week. Specifically it addressed improper input sanitization in the LDAP authentication plugin, which affected versions 1.5.0 through 3.7.5 if Joomla was configured to use the plugin.
Researchers at RIPS Technologies GmbH disclosed some details on the vulnerability on Wednesday. They said an attacker could exploit the vulnerability through the Joomla login page, taking advantage of the LDAP injection vulnerability in the login controller. With access to the admin control panel, an attacker could take over a site running on the CMS and potentially the webserver by uploading a custom extension and gaining remote code execution, RIPS CEO Johannes Dahse said. The risk, Dahse told Threatpost, is lessened somewhat since LDAP is not a common authentication option for Joomla.
“It is not that commonly used and not the default authentication. But specifically large organizations use LDAP and could be an attractive target for attackers when they connected Joomla! to their LDAP server,” he said.
Dahse explained that the vulnerability, CVE-2017-14596, can be triggered because user input is mixed unsanitized with the LDAP query markup that is passed to the LDAP search function.
“The LDAP server stores the username and passwords of all users, similar to a SQL database server. For authentication, an LDAP query is performed by Joomla! that checks if the supplied user credentials match a pair on the server,” Dahse said. “This LDAP query uses the credentials entered in the Joomla! login form. Due to the lack of sanitization, however, an attacker can malform the LDAP query (similar to a SQL injection) by injecting LDAP query syntax into the credentials that then end up in the LDAP query and modify its action.”
An attacker could do so by using wildcard characters (.MP4) and taking note of authentication error messages. The attacker could modify requests and progressively send rows of payloads that guess credentials character by character, Dahse said.
“Each of these payloads yield exactly one out of two possible states which allow an adversary to abuse the server as an Oracle,” Dahse wrote in the report. “A filter bypass is necessary for exploitation… With an optimized version of these payloads, one bit per request can be extracted from the LDAP server which results in a highly efficient blind LDAP injection attack.”
An attack can thus be automated with a script that checks character by character, he said.
“Since the script can send multiple requests per second to the Joomla login form in an automated fashion, the attack can succeed within seconds depending on the password’s length,” Dahse said.
The 3.8 Joomla release also contained a security update for another information disclosure bug in the core engine. This one was a logic bug in a SQL query could leak article introduction text when articles are archived. Versions 3.7.0. through 3.7.5 were affected.