On September 19th, 2024, a critical vulnerability (CVE-2024-40748) was discovered in Joomla version 5.1.4, exposing their website to stored cross-site scripting (XSS) attacks. Stored cross-site scripting (second-order or persistent XSS) arises when an application receives data from an untrusted source and unsafely includes it within its later HTTP responses.
This could lead to attackers injecting malicious scripts into the website, which would be executed whenever a user visits a specific page. The stored XSS vulnerability in Joomla was found in the module’s Menu Tag ID [tag_id] parameter.
Stored XSS Vulnerability: Technical Breakdown
Stored XSS is a type of cross-site scripting that stores untrusted user input. The vulnerability is in the menu editing module’s ‘Menu Tag ID’ parameter. An attacker can target this field to execute malicious code, and when the page loads and a user picks a menu item with that tag ID, the script runs.
- Owasp Top10: A3-injection
- Vulnerability: Stored XSS
- Short Description: Stored Xss in Menu Tag ID [tag_id] parameter.
- Payload used: hqfpw%22onmouseover%3d%22alert(1)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22dmemc
Steps to Reproduce the Vulnerability
1. Download Joomla from the above URL and deploy it in your local host.
2. Log in with the credentials created on the home page.
3. Click on the “edit main menu” module, go to “advanced,” and paste the above payload in the “Menu Tag ID” section. Click on “save settings”.
4. Once the request is processed, you will see an alert pop-up containing a cookie when you hover your mouse over the options page.
5. Reload the page or hover over it again, and you will see that the payload is being executed. This behavior shows that there is a stored XSS vulnerability.
Impact
We found that if an attacker can control a script executed in the victim’s browser, they can generally fully compromise that user. The attacker can perform any actions that are accessible to the implications of the reflected XSS vulnerabilities.
Exploitability is based on the fact that while reflected XSS creates a new attack cycle every time a user connects to the application, stored XSS enables the attack to exist wholly within the application space. The attacker doesn’t have to make an external request to other users to choose an option containing their exploit. Instead, the attacker inserts their exploit directly into the application and waits for it to be used.
It is vital to note that stored cross-site scripting exploits do not execute in the context of other sites. An XSS vulnerability is limited to users logged in to the application.
Other ways in which a stored XSS vulnerability can be exploited are:
- Cookie Theft: Sophisticated attackers can intercept session cookies and have the possibility to hijack the users’ sessions and get access to potentially valuable information.
- Website Defacement: Maliciously written script can change a website’s content and display false information, slur speech, or propaganda to affect the brand’s reputation.
- Malware Distribution: Hackers can inject scripts that download malware to the attacker’s devices.
- Data Exfiltration: Sensitive information entered by users can be stolen through the injected script.
Current Status & Mitigation
The vulnerability currently remains unpatched. It will be fixed in the next release within a couple of weeks.
Here’s how you can mitigate this vulnerability:
- Update Joomla: The most critical step is to update Joomla to the latest version. The developers have vowed to fix the issue in the next few weeks. You can download the newest version from the official website: https://downloads.joomla.org/
- Input Validation & Sanitization: In the meantime, Joomla can work on adjusting the backend and ensure that no user inputs scripts into this “Menu Tag ID” field. They can mitigate the risk by cleaning and filtering user-provided data to prevent malicious code injection.
- Security Awareness: Inform your administrators about password security and make them wary of user input.