In a previous FortiGuard Labs blog I documented that Joomla! had failed to patch two Cross-Site Scripting (XSS) vulnerabilities – CVE-2017-7985 and CVE-2017-7986 – that I had previously discovered. After reporting the issue to Joomla!, they released a patch and published a separate security announcement in July of 2017. But this separate patch still doesn’t fully fix the issue. Earlier this year, I discovered a new way to bypass the Joomla! XSS filter at the same injection point. This new vulnerability has been assigned with the CVE ID CVE-2018-11326.
Just as with CVE-2017-7985 and CVE-2017-7986, this new injection point exists in the front end, under the “post or edit an article” function. Remote attackers with post or edit permission could insert malicious code into Joomla! and then execute it in the context of a victim’s browser. This could then allow a remote attacker to gain control of the victim’s browser and hijack their Joomla! account. An attacker can then take aim at higher permission Joomla! accounts. A successfully established attack could eventually allow a remote attacker to take over the full web site.
This new vulnerability affects Joomla! CMS versions 3.0.0 through 3.8.7. In this blog, I’ll share my analysis of this vulnerability.
The PoC I used in this analysis is the same as the one I used in my previous post. I also used the same account, “yzy1”, which only has the publisher permission and is not allowed to use full HTML elements.
Before I inserted the code for my test, I changed the default editor to none in order to bypass the Joomla! Front end XSS protection, as shown in Figure 1.
The exploit can be same as the one I used in my last post. I only need to modify the code to:
When the Joomla! administrator accesses the web page containing the inserted code, a new Super User is automatically created with the username ‘Fortinet Yzy’ and the password ‘test’.
All users of Joomla! should upgrade to the latest version immediately. Additionally, organizations using Fortinet IPS solutions are already protected from this vulnerability with the following signature: