Vulnerability Summary
Joomla is widely used overseas. It is an open source, cross-platform content management system (CMS) developed using PHP and MySQL. ApiRouter.php#parseApiRoute in Joomla 4.0.0 to 4.2.7 does not effectively filter the request parameters when processing the user's Get request, so that the attacker can send a request containing public=true parameters to the Joomla service endpoint (such as: / api/index.php/v1/config/application?public=true&key=value) for unauthorized access.
- Repair solution: The vulnerability has been fixed in version 4.2.8, and users are recommended to upgrade Joomla to version 4.2.8 and above
- Vulnerability link: https://www.oscs1024.com/hd/MPS-2023-1918
The following content comes from the public account "Security Diary" Erikten's analysis of the vulnerability:
0x00 Environment construction
Go directly to Github to download
https://github.com/joomla/joomla-cms/releases/tag/4.2.8
0x01 Vulnerability Analysis
The essence of this vulnerability is the overriding of authority caused by variable coverage. We can go to diff to see how the official fixes this variable coverage vulnerability.
`https://github.com/joomla/joomla-cms/commit/5897df8ee39056fbd37624eeeeff1b81e24d84ef#diff-865580463b5f16d45dc41be7d57bf9f2ab7dd875215c2ad0471247f63b9e1b4c`
The function of array_key_exists() is to judge whether the specified key name is contained in the array. If the public key exists, it is true, and then directly destroy the variable through unset(). You are so smart here that you know what is going on, that is, the public variable is overwritten, which leads to overreach
We directly break the point at the first red box. Here, in order to facilitate the reproduction of the vulnerability, first comment out the patch and visit
/api/index.php/v1/config/application?public=true&key=value
You can see that $query received the parameters we requested
Continue to follow, a regular match will be performed to see if our request method and path are legal
We directly force the jump to the loop body, and we can see that the value of $vars is the default value of the obtained route, where the value of public is false
Here, because the value of routeVariables under $route is empty, it will not enter the loop body
Then get the controller of the current route through $route->getController(), and the values inside correspond to the controller and the method name under it
Knock on the blackboard and knock on the blackboard, the next step is to realize variable coverage. The program uses array_merge() to merge multiple variables into the same array. You can see that the public under $vars is false at this time.
However, after the processing of array_merge(), the value of $query is overwritten when the value of $query is merged. You can look at the official explanation of array_merge()
So the merged public becomes true
Why do you say that you can exceed the authority by changing the public to true here? This is because the permissions are checked in libraries/src/Application/ApiApplication.php:304. If the public under $route exists or the value of public is false, then the identity will be performed. check
In the end, we bypassed the identity verification and realized the ultra vires
In the previous analysis, there will be an operation to traverse routes, and those are the affected interfaces
Free intelligence subscription & code security detection
Murphy Security is a technology company that provides you with professional software supply chain security management. The core team comes from Baidu, Huawei, Wuyun and other enterprises. The company provides customers with a complete software supply chain security management platform, and provides software with a full life cycle around SBOM Security management, platform capabilities include software component analysis, source security management, container image detection, vulnerability intelligence early warning and commercial software supply chain access assessment and other products. Provide customers with complete control capabilities from supply chain asset identification management, risk detection, security control, and one-click repair. At the same time, the product can be integrated with various tools in the existing development process at a very low cost, including seamless integration of dozens of tools such as IDE, Gitlab, Bitbucket, Jenkins, Harbor, and Nexus.
Code security detection: https://www.murphysec.com/?sf=v832dc
Information Subscription: https://www.oscs1024.com/cm/?sf=v832dc
Vulnerability library: https://www.oscs1024.com/hl/?sf=v832dc
Redis 7.2.0 was released, the most far-reaching version Chinese programmers refused to write gambling programs, 14 teeth were pulled out, and 88% of the whole body was damaged. Flutter 3.13 was released. System Initiative announced that all its software would be open source. The first large-scale independent App appeared , Grace changed its name to "Doubao" Spring 6.1 is compatible with virtual threads and JDK 21 Linux tablet StarLite 5: default Ubuntu, 12.5-inch Chrome 116 officially released Red Hat redeployed desktop Linux development, the main developer was transferred away Kubernetes 1.28 officially released