Joomla Content System Vulnerable to Multiple FlawsResearchers Identify a Password Reset and XSS Vulnerability That Can Be Chained
Security researchers have identified two vulnerabilities in the Joomla content management system that can be chained together for complete compromise of the network, a report by security firm Fortbridge finds.
Joomla is a widely used CMS system with more than 1.5 million installations. The researchers note one of the identified vulnerabilities is a password reset flaw and another is a cross-site scripting - or XSS - vulnerability that can lead to privilege escalation.
The researchers note the attackers can chain these vulnerabilities together for full compromise of the victim's network. "Full compromise is a no-brainer really. Most CMSs support the capability of uploading custom themes/plug-ins, etc.," says Adrian Tiron, cloud AppSec consultant at Fortbridge. "We wrote a very simple custom plug-in which gave us remote code execution. This is for proof of concept purposes only and should not be used as such in a real environment."
Fortbridge, which updated Joomla about the vulnerabilities in February, says the company released patches for the vulnerabilities in May.
Fortbridge points out two attack scenarios caused by the vulnerabilities. These are:
- Host header poisoning: Fortbridge says that hackers who have exploited the password reset flaw can use this tactic to conduct a host header poisoning attack in which they alter the host header used to specify the domain name before it reaches the intended back-end component.
- Privilege escalation: The report says this can be performed by configuring the admin user's account that was compromised using the password reset vulnerability. The researchers then exploited the XSS vulnerability by uploading malicious content to the website. Then, by delivering the XSS payload to the admin account or by embedding the link in the website articles or comments sections in the content management system, Fortbridge researchers were able to perform privilege escalation, they say.
Unlike the password reset vulnerability, XSS is a more common flaw that has been exploited by threat actors for various attacks.
A string of recent data breaches has been tied to such vulnerabilities. In February, unpatched vulnerabilities in Accellion's File Transfer Appliance, including XSS vulnerabilities, resulted in several data breaches (see: The Accellion Mess: What Went Wrong?).