Joomla 3.8 Patches Critical 8-Year Old Vulnerability

Joomla, one of the world’s most popular CMS powering over 3.3% of world’s websites, recently patched a critical vulnerability which has persisted in its content management system for 8 years. Leveraging this vulnerability could allow an attacker to steal administrator login credentials, paving way for further key information theft. This appalling revelation reveals the vulnerable state of CMSs which often go undetected and can pose a huge threat to users.

The German security firm RIPS Tech discovered the vulnerability: CVE-2017-14596, which was ultimately patched up in the recent version Joomla 3.8.  The fix targets improper input sanitization in the LDAP authentication plugin, which affects Joomla versions 1.5.0 through 3.7.5. Below is a PoC video made by Ripstech security researchers and originally published on their blog.

LDAP Injection Vulnerability

Termed by researchers as the LDAP injection vulnerability, this allows an attacker to use the login controller to his advantage through the Joomla login page. Once the attacker gains control of the admin control panel, he can potentially take over the Joomla running site and the web server by enforcing remote code execution.

Following code snippets reveal the code lines spanning the vulnerability:

Newly Released Joomla 3.8 Patches Critical 8-Year Old Vulnerability
In the class ‘LoginController’, the Joomla application receives the user-supplied credentials from its login form.
Newly Released Joomla 3.8 Patches Critical 8-Year Old Vulnerability
The credentials are passed on to the login method which then invokes the authenticate method.
Newly Released Joomla 3.8 Patches Critical 8-Year Old Vulnerability
Based on the plugin that is used for authentication, the authenticate method passes the credentials to the onUserAuthenticate method. If Joomla! is configured to use LDAP for authentication, the LDAP plugin’s method is invoked.
Newly Released Joomla 3.8 Patches Critical 8-Year Old Vulnerability
In the LDAP plugin, the username credential is embedded into the LDAP query specified in the search_string option. The search_string configuration option is “a query string used to search for the user, where [search] is directly replaced by search text from the login field”, for example, “uid=[search]“. The LDAP query is then passed to the simple_search method of the LDAP client which connects to the LDAP server and performs the ldap_search.
Newly Released Joomla 3.8 Patches Critical 8-Year Old Vulnerability
Image and explanation Source: Ripstech Blog

All the attacker needs to do is inject LDAP query syntax into the credentials, thus modifying the LDAP query. By using wildcard characters (.MP4) and noting authentication error messages, the attacker can modify requests and guess credentials.

The LDAP server is similar to the SQL database. While it is not widely used as the default authentication, some large organization do connect their sites to the LDAP server. This serves as an attractive target for malicious users looking to steal user credentials.

The Fix

The LDAP Injection Vulnerability is now addressed in Joomla 3.8 and is applicable to those accounts configured to use this plugin. Lack of input sanitization is one of the most common vulnerabilities faced by most CMS. It is advised to follow OWASP security guide for Testing Input Validation to secure your site against code execution attacks. Furthermore, Astra firewall can be a great value add to your Joomla website, contact us to secure your website against such attacks.

Waiting to Get Hacked?

Get security tips & latest vulnerability fixes right in your inbox:

About The Author

Bhagyeshwari Chauhan

An engineering grad and a technical writer, Bhagyeshwari blogs about web security, futuristic tech and space science.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Close