Version 3.8 of Joomla, the world’s second-most popular website content management system (CMS), is out. The update includes fixes for two security issues including a very serious flaw in Joomla’s LDAP Authentication Plugin.
Although the CMS’s popularity is a distant second behind the juggernaut that is WordPress, it is running on over 3% of the world’s websites today (that’s tens of millions of sites).
The first vulnerability fixed in the 3.8 release is an LDAP injection vulnerability that has been kicking around for almost a decade, until its recent discovery.
LDAP (Lightweight Directory Access Protocol) is a protocol for sharing directories of information, such as lists of users and their passwords, throughout a network.
Dr. Johannes Dahse at RIPS Technologies found the injection vulnerability and describes it as a bug that allows an attacker to “extract all authentication credentials … in 20 seconds” including the administrator credentials.
Credentials, he explains, are guessed “character by character”:
The lack of input sanitization of the
usernamecredential used in the LDAP query allows an adversary to modify the result set of the LDAP search. By using wildcard characters and by observing different authentication error messages, the attacker can literally search for login credentials progressively by sending a row of payloads that guess the credentials character by character.
Dahse’s proof of concept shows that an attacker could gain administrative access within a matter of seconds. With an administrator password an attacker could log in to a Joomla-powered website’s control panel and do just about whatever they like.
This vulnerability is newly-discovered but has apparently existed in Joomla for a very long time, as the affected versions go all the way back to version 1.5.
LDAP is popular with enterprises and is less likely to be used by small business websites or on personal deployments of Joomla, so the sites affected could represent a self-selecting group of high value targets for attackers.
Joomla rates this vulnerability (CVE-2017-14596) as a medium-severity bug, perhaps because LDAP isn’t the default authentication mechanism. If you use LDAP you should upgrade now (Joomla promises “3.8 is a one-click update just like previous 3.x versions.”)
The second bug fixed in Joomla 3.8 (CVE-2017-14595) affects all versions of Joomla 3.7, and it’s a SQL bug that could allow an attacker to access an article’s introductory text even if that article is archived (when it shouldn’t accessible at all).
Joomla rates this one as a low severity vulnerability, though upgrading to version 3.8 will fix both this issue and the nastier LDAP injection bug.
Lou
I read the explanation on RIPS’ blog and it makes absolutely non sense to me. Passwords need to be stored in clear text to work.
In 2017 you should be totally stupide or retarded to still stored passwords in clear text!
The (only) good LDAP implemantation should use the “bind” method to check credentials and not a trivial “compare” with clear text password.
A basic LDAP installation does not even give read access to passwords.
Neil Robertson
Thanks for clarifying this issue is only likely to affect Joomla websites that have the LDAP plugin enabled which few other reports have mentioned. The LDAP plugin is disabled by default so as you point out, only a small percentage of sites are likely to be vulnerable.