Experts spotted a login page flaw in Joomla that exposes admin credentials

Researchers at RIPS Technologies discovered a login page vulnerability affecting Joomla versions between 1.5 and 3.7.5 that exposes admin credentials.

Experts at RIPS Technologies discovered a login page flaw affecting Joomla versions between 1.5 and 3.7.5 that exposes admin credentials.

The flaw affects Joomla installs when using Lightweight Directory Access Protocol (LDAP) authentication. Joomla implements LDAP access via TCP/IP through a native authentication plugin that can be enabled from the Plugin Manager.

The researchers discovered that when the LDAP authentication plugin is enabled an attacker can try to determine the username and password by guessing the credentials character by character from the login page.

Curiously, the RIPS researchers classified the flaw as critical, meanwhile Joomla’s advisory lists report it as a medium-severity issue.

RIPS researchers discovered that the login page vulnerability, tracked as CVE-2017-14596, is caused by to the lack of input sanitization,

“By exploiting a vulnerability in the login page, an unprivileged remote attacker can efficiently extract all authentication credentials of the LDAP server that is used by the Joomla! installation. These include the username and password of the super user, the Joomla! Administrator,” reads the analysis published by RIPS researchers.

“An attacker can then use the hijacked information to login to the administrator control panel and to take over the Joomla! installation, as well as potentially the web server, by uploading custom Joomla! extensions for remote code execution,” 

RIPS has published a proof-of-concept (PoC) code and a video PoC, however, the exploit also requires a filter bypass, that the company hasn’t disclosed.

“The lack of input sanitization of the username credential used in the LDAP query allows an adversary to modify the result set of the LDAP search. By using wildcard characters and by observing different authentication error messages, the attacker can literally search for login credentials progressively by sending a row of payloads that guess the credentials character by character.” continues the analysis.

The flaw was reported to the development team on July 27, this week Joomla released the version 3.8 that fixed the problem.

The version 3.8 also addresses another information disclosure vulnerability, a logic flaw in SQL queries tracked as CVE-2017-14595,

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – CMS, hacking)

[adrotate banner=”12″]