With over 84 million downloads, Joomla! is one of the most popular content management systems. We detected a previously unknown LDAP injection vulnerability in the login controller. This one vulnerability could allow remote attackers to leak the super user password and to fully take over any Joomla! <= 3.7.5 installation that uses LDAP for authentication.
Requirements - Who is affected
Joomla! powers about 3.3% of all websites’ content and articles. Installations with the following requirements are affected by this vulnerability:
- Joomla! version 1.5 <= 3.7.5 is installed
- Joomla! is configured to use LDAP for authentication
This is not a configuration flaw and an attacker does not need any privileges to exploit this vulnerability.
Impact - What can an attacker do
By exploiting a vulnerability in the login page, an unprivileged remote attacker can efficiently extract all authentication credentials of the LDAP server that is used by the Joomla! installation. These include the username and password of the super user, the Joomla! administrator. An attacker can then use the hijacked information to login to the administrator control panel and to take over the Joomla! installation, as well as potentially the web server, by uploading custom Joomla! extensions for remote code execution.
Vulnerability Analysis - CVE-2017-14596
We identified a vulnerability that spans over the following nested code lines. First, in the
LoginController the Joomla! application receives the user-supplied credentials from the login form in line 62.
The credentials are passed on to the
login method which then invokes the
Based on the plugin that is used for authentication, the
authenticate method passes the credentials to the
onUserAuthenticate method. If Joomla! is configured to use LDAP for authentication, the LDAP plugin’s method is invoked.
In the LDAP plugin, the
username credential (line 117) is embedded into the LDAP query as specified in the
search_string option. According to the official Joomla! documentation, the
search_string configuration option is “a query string used to search for the user, where [search] is directly replaced by search text from the login field”, for example “uid=[search]“. The LDAP query is then passed to the
simple_search method of the
LdapClient which connects to the LDAP server and performs the
Proof Of Concept - Blind LDAP Injection
The lack of input sanitization of the
username credential used in the LDAP query allows an adversary to modify the result set of the LDAP search. By using wildcard characters and by observing different authentication error messages, the attacker can literally search for login credentials progressively by sending a row of payloads that guess the credentials character by character.
Each of these payloads yield exactly one out of two possible states which allow an adversary to abuse the server as an Oracle. A filter bypass is necessary for exploitation that is not covered in this blog post. With an optimized version of these payloads one bit per request can be extracted from the LDAP server which results in a highly efficient blind LDAP injection attack.
|2017/07/27||Provided vulnerability details and PoC to vendor|
|2017/07/29||Vendor confirmed security issue|
|2017/09/19||Vendor released fixed version|
As one of the most popular open source CMS applications, Joomla! receives many code reviews from the security community. Yet alone one missed security vulnerability in the 500,000 lines of code can lead to a server compromise. With the help of static code analysis, we detected a critical LDAP injection vulnerability (CVE-2017-14596) that remained undiscovered for over 8 years. The vulnerability allows an attacker to steal login credentials from Joomla! installations that use LDAP authentication.
We would like to thank the Joomla! Security Strike Team for an excellent coordination and remediation of this issue and recommend to update to the latest Joomla! version 3.8 immediately.
- Exploiting Hibernate Injections
- Backend SQL Injection in BigTree CMS 4.4.6
- dotCMS 5.1.5: Exploiting H2 SQL injection to RCE
- Joomla! 3.8.3: Privilege Escalation via SQL Injection
- CubeCart 6.1.12 - Admin Authentication Bypass
- Pre-Auth Takeover of OXID eShops
- Breaking Into Your Company's Internal Network - SuiteCRM 7.11.4