Follow

06/19/17: CMS Joomla com_fields SWL Injection Information Disclosure | Security Bulletin

In This Article

Threat Summary

Overview

The Joomla CMS core product code is vulnerable to a SQL injection attack. This enables an attacker to directly send code to the backend SQL server to be executed. This may result in data exfiltration or data being deleted.

Exploitation

Stages

  1. A remote unauthenticated attacker makes a request to the server running a vulnerable version of Joomla, with a boolean-based blind or error-based SQL injection in the list[fullordering]=parameter.
  2. The server responds with a 500 internal server error, and the attacker retrieves information about the database.

Prerequisites

No prior authentication is needed to create a successful exploit

Vulnerability Description

There is a vulnerability in version 3.7 of the Joomla CMS. It is caused by a component named ‘com_fields’. To exploit this vulnerability, all an attacker must do is add the proper parameters to the URL to inject nested SQL queries into the parameter ‘list[fullordering]=’. The result of this attack could include leaking password hashes and hijacking a logged-in user’s session (the latter results in a full site compromise if an administrator session is stolen).

Back to top

Alert Logic Coverage

Alert Logic® has evaluated its customer base for exposure to the exploit and has developed signatures for mitigating the threat depending on the security service in place.

The Network-Based Intrusion Detection System (IDS) has been updated with the new signatures for this exploit when detected via Alert Logic Threat Manager™. If this signature is detected, an incident is generated in the Alert Logic console.

In addition, detection of this threat is provided via the AlertLogic ActiveWatch™ for Web Security Manager™ service. Depending on your deployment of Web Security Manager, you will receive an incident (for out-of-band deployment) or the threat will be actively blocked and rejected (for the inline Web Security Manager Premier deployment) if an exploit attempt is observed.

Back to top

Recommendations for Mitigation

Check web server access logs for requests to the vulnerable page with a SQL injection in the parameter This will only be effective if the attack is carried out in the URI.

Upgrade to Joomla 3.7.1 to mitigate the vulnerability.

 Back to top

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.