A high-severity improper access control vulnerability has been discovered in various Joomla! CMS instances. Tracked as CVE-2023-23752, the vulnerability may allow an attacker to get unauthorized access to webservice endpoints and access sensitive information of the target application.
On January 8, 2024, CISA added the CVE-2023-27524 to the Known Exploited Vulnerabilities Catalog. CISA has recommended users to patch the flaw before Jan 29, 2024.
Joomla! is a free, open-source Content management system (CMS) that publishes a website’s web content. A web-based CMS enables users with varying access permissions to manage content, data, or information for a website project or intranet application.
Vulnerability Analysis
api/index.php route contains a flaw that leads to improper access control. The input member of the $app that exists in the app.php file stores all HTTP request parameters.
In the execute() function, the sanityCheckSystemVariables function filters the parameters of rendering templates, providing XSS vulnerability prevention. setupLogging and createExtensionNameSpaceMap perform additional logging for the system.
doExecute is the routing logic function. The most important thing in doExecute is the route and dispatch functions.
The route function is divided into two parts:
- Route selection
- Identity verification
Route Selection
To find the corresponding routing information directly from the requested method and url to $routers, the parseApiRoute function is used.
Identity Verification
The vars and public parameters control whether the authentication is performed or not. The public parameter determines whether the API is accessible to the outside world. By default, it is set to false and does not open to the outside world.
An attacker can use the user request url to override the variables in route.var by the requested variables. This will change the public parameter to true. Once the parameter is true, it does not require authentication and directly reaches the routing distribution.
The broken API /api/index.php/v1/config/application?public=true can be used to obtain the most critical configuration information of the website, including the account number and password of the database.
Affected Versions
Joomla! versions 4.0.0 to 4.2.7 are affected by this vulnerability.
Mitigation
To patch this vulnerability, customers are recommended to upgrade to the latest Joomla! version 4.2.8. For more information, please refer to the Joomla! Security Advisory.
Qualys Detection
Qualys customers can scan their devices with QID 730735 to detect vulnerable assets.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://xz.aliyun.com/t/12175
https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html