-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Title: Joomla! session id not hashed
Author: Blazej Adamczyk (br0x)
Date: 2015-06-30
Download site:
https://github.com/joomla/joomla-cms/releases/download/3.6.2/Joomla_3.6.2-Stable-Full_Package.zip
Version: 3.6.2 and below
Vendor: https://www.joomla.org/
Vendor Notified: 2016-09-20
Vendor Contact: https://www.joomla.org/
CVSS: 6.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)
Description:
The session_ids for all joomla users are stored in plaintext in the
“prefix_session” table. This
allows the attacker to exploit an SQLi to retrieve the session id and access
Joomla! backend with
user (victim) privileges. The session_id cookie value should not be stored in
the database. A
cryptographic hash function should be used instead and the real cookie should
be known only to the
user. On each request Joomla should compare the hash of the cookie with the
value stored in db.
This is a well known vector for gaining code execution having only an SQL
injection vulnerability in
Joomla! sites. For example, some MSF modules use it to gain code execution (e.g.
joomla_contenthistory_sqli_rce).
The aim of this diclosure is to attract the attention of Joomla!
community/developers and start a
dicussion for a proper fix.
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
iQEcBAEBCAAGBQJX4Qq2AAoJELcOb3l0I/e3tSsIAJy7Gsex+mUuU8rz74jwtzSR
i6laiR2ULkkMWmN7AHrDXxSLgegq+0HbxA315CZ1wg6WT63j0GWE7UYR4I84H69F
2q048H4qDdmX4wetOIVnyeIpyxq2a6/8SrcwVRkAaVjqXUNTQaQwTgusosWF4NvL
YF56h5VznlReb6Kvu5jjb9MalBKvmmDKxwgIWeBQ8pfSop0J0EIuhlZ9DvK3mKpo
5821OI4SfcuxU/gdiP+dQru5ln5ySLQsB59ydeFE8JVLirf1LBesepcimuqAmQiM
j0QxynYFFV/GCuWpbYsQ7JQmMA8UPbRLzEJxvGhLZ1FKFkauUnvAvSZ36pj6zTM=
=fu19
-END PGP SIGNATURE-
___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
