full-disclosure

Open Source and information security mailing list archives

Date: Tue, 20 Sep 2016 12:09:32 +0200
From: Blazej Adamczyk <blazej.adamczyk@...il.com>
To: fulldisclosure@...lists.org,
 cve-assign@...re.org
Subject: [FD] Joomla! session id not hashed.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Title: Joomla! session id not hashed
Author: Blazej Adamczyk (br0x)
Date: 2015-06-30
Download site: https://github.com/joomla/joomla-cms/releases/download/3.6.2/Joomla_3.6.2-Stable-Full_Package.zip
Version: 3.6.2 and below
Vendor: https://www.joomla.org/
Vendor Notified: 2016-09-20
Vendor Contact: https://www.joomla.org/
CVSS: 6.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

Description:
The session_ids for all joomla users are stored in plaintext in the “prefix_session” table. This
allows the attacker to exploit an SQLi to retrieve the session id and access Joomla! backend with
user (victim) privileges. The session_id cookie value should not be stored in the database. A
cryptographic hash function should be used instead and the real cookie should be known only to the
user. On each request Joomla should compare the hash of the cookie with the value stored in db.

This is a well known vector for gaining code execution having only an SQL injection vulnerability in
Joomla! sites. For example, some MSF modules use it to gain code execution (e.g.
joomla_contenthistory_sqli_rce).

The aim of this diclosure is to attract the attention of Joomla! community/developers and start a
dicussion for a proper fix.

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives