Application Security , Governance & Risk Management , Incident & Breach Response

Joomla Content System Vulnerable to Multiple Flaws

Researchers Identify a Password Reset and XSS Vulnerability That Can Be Chained
Joomla Content System Vulnerable to Multiple Flaws

Security researchers have identified two vulnerabilities in the Joomla content management system that can be chained together for complete compromise of the network, a report by security firm Fortbridge finds.

See Also: Preventing Attacker Access to Legacy and other Untouchable Systems

Joomla is a widely used CMS system with more than 1.5 million installations. The researchers note one of the identified vulnerabilities is a password reset flaw and another is a cross-site scripting - or XSS - vulnerability that can lead to privilege escalation.

The researchers note the attackers can chain these vulnerabilities together for full compromise of the victim's network. "Full compromise is a no-brainer really. Most CMSs support the capability of uploading custom themes/plug-ins, etc.," says Adrian Tiron, cloud AppSec consultant at Fortbridge. "We wrote a very simple custom plug-in which gave us remote code execution. This is for proof of concept purposes only and should not be used as such in a real environment."

Fortbridge, which updated Joomla about the vulnerabilities in February, says the company released patches for the vulnerabilities in May.

Attack Scenarios

Fortbridge points out two attack scenarios caused by the vulnerabilities. These are:

  • Host header poisoning: Fortbridge says that hackers who have exploited the password reset flaw can use this tactic to conduct a host header poisoning attack in which they alter the host header used to specify the domain name before it reaches the intended back-end component.
  • Privilege escalation: The report says this can be performed by configuring the admin user's account that was compromised using the password reset vulnerability. The researchers then exploited the XSS vulnerability by uploading malicious content to the website. Then, by delivering the XSS payload to the admin account or by embedding the link in the website articles or comments sections in the content management system, Fortbridge researchers were able to perform privilege escalation, they say.

Recent Incidents

Unlike the password reset vulnerability, XSS is a more common flaw that has been exploited by threat actors for various attacks.

A string of recent data breaches has been tied to such vulnerabilities. In February, unpatched vulnerabilities in Accellion's File Transfer Appliance, including XSS vulnerabilities, resulted in several data breaches (see: The Accellion Mess: What Went Wrong?).

Also in February, PayPal patched an XSS vulnerability in its currency conversion endpoint that, if exploited, could enable malicious JavaScript injection (see: PayPal Mitigates XSS Vulnerability).

In 2019, an independent security researcher found that an XSS bug in Tesla 3's web browser enabled him to hack into the car. The researcher noted that the flaw, if exploited, could enable a hacker to perform JavaScript injection to compromise the car further (see: How a Big Rock Revealed a Tesla XSS Vulnerability).


About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.in, you agree to our use of cookies.