Joomla! 3.8.3: Privilege Escalation via SQL Injection

Joomla! is one of the biggest players in the market of content management systems. Its easy installation, usage, and extensibility make it the second most used CMS on the web next to WordPress¹. Last year, our PHP static code analysis solution unveiled a rare LDAP injection vulnerability within the 500,000 lines of Joomla! code. This LDAP injection vulnerability, explained in our previous blog post, allowed attackers to fully take over Joomla! <= v3.7.5 installations that rely on LDAP for authentication.

Recent updates to our analysis engine lead to the discovery of a new vulnerability in the Joomla! core affecting versions prior to 3.8.4. RIPS discovered a second-order SQL injection that could be used by attackers to leverage lower permissions and to escalate them into full admin permissions. This previously unknown vulnerability was disclosed to the Joomla! security team who released a security fix on the 30th of January 2018.

Who is affected

Installations with the following requirements are affected by this vulnerability:

• Joomla! version <= 3.8.3 and >= 3.7.0

For exploitation an attacker needs to be authenticated to the Joomla! backend with a Manager account. This user group is available by default in Joomla! and has lower privileges than the Administrator or Super Users user groups.

Impact - What can an attacker do

An attacker exploiting this vulnerability can read arbitrary data from the database. This data can be used to further extend the permissions of the attacker. By gaining full administrative privileges she can take over the Joomla! installation by executing arbitrary PHP code.

In this blog post we will demonstrate how the RIPS static code analyzer was used to automatically find the previously unknown vulnerability. Further, we discuss the technical details behind the security issue.

Automated Detection

It took RIPS roughly 4 minutes to transform the large code base of Joomla! with over 500,000 lines of code into an abstract graph model and to perform data flow analysis throughout this graph for the detection of over 80 vulnerability types. During this in-depth code analysis, two high-severe vulnerabilities of type SQL injection were reported.

A closer look at the detailed description of the reported vulnerabilities in RIPS’ web interface revealed that in a specific file of Joomla!, user-controlled input is used to construct a SQL query without any sanitization.

The RIPS engine equipped with its unique static code analysis algorithms successfully identified a dangerous source of user input. Also, a method of Joomla!’s database abstraction layer was identified as security-sensitive because it concatenates SQL code for the execution of database queries. RIPS detected that the user input is used unsanitized in this security-sensitive method and reported a SQL injection vulnerability. It allows an attacker to inject SQL code and to modify the database query to her advantage and to steal private data.

  See RIPS report

Technical Analysis: Second-Order Blind SQL Injection

The SQL injection is located in the file administrator/templates/hathor/postinstall/hathormessage.php. The following code summary shows the vulnerability.

administrator/templates/hathor/postinstall/hathormessage.php

 1 2 3 4 5 6 7 8 9101112131415161718

function hathormessage_postinstall_condition()
{
    ⋮
    $adminstyle = $user->getParam('admin_style', '');
	if ($adminstyle != '')
	{
        $query = $db->getQuery(true)
            ->select('template')
            ->from($db->quoteName('#__template_styles'))
            ->where($db->quoteName('id') . ' = ' . $adminstyle[0])
            ->where($db->quoteName('client_id') . ' = 1');

        // Get the template name associated to the admin style
        $template = $db->setquery($query)->loadResult();
        ⋮
    }
    ⋮
}

The function hathormessage_postinstall_condition() is called by a component for post-installation messages introduced in Joomla! 3.2.0 every time the dashboard is loaded. In this function, the content of the variable $adminstyle gets concatenated into the WHERE part of the constructed SQL query without proper sanitization in line 10. If an attacker can control the content of the parameter admin_style, she can inject arbitrary SQL into the query that is executed in line 14.

The parameter admin_style is received in line 4. It contains the ID of the backend template that the user has configured for usage. A user can change this parameter in his profile settings. A quick verification by intercepting the saving request for user parameters and changing the value for admin_style showed that it is saved to the database without any further check or sanitization. Thus, an attacker can inject arbitrary content into this parameter that is later used in the SQL query. This SQL injection is a second-order vulnerability since the payload is first saved to the database and later used in the query. The query result is not displayed directly in the web page, thus, an attacker needs to use error-based or timing-based injection techniques for exploitation. The following figure demonstrates how an XPath error message within the SQL query can be used to read out the session ID of a currently logged-in administrator.

Time Line

Summary

Security vulnerabilities are everywhere and can be found even in the most popular and most reviewed open source applications. A new SQL injection vulnerability was uncovered in Joomla! that affects versions prior to 3.8.4. The vulnerability was automatically identified with RIPS static code analyzer that uses cutting-edge SAST techniques. In this blog post, we examined the roots of the second-order blind SQL injection and demonstrated how RIPS can help find such hidden security issues in large and complex PHP projects.

We would like to thank the security team behind Joomla! for their professional collaboration and for quickly resolving the issues with the release of version 3.8.4. If you are still using an older version, we encourage you to update.