![]() We obviously did a quick Burp scan and found nothing there….not really surprising, right? Most probably everyone else ran a Burp scan before we did and, all those low hanging fruits have been eliminated. Let’s target a regular “admin” in that case. However, we can still reset the password for any other user that is not a “super admin”. Reducing the attack surface is always a good idea, so kudos to them. The Joomla developers have already thought of that, and they completely removed the password reset functionality for “super admin”. However, you can’t reset the password of a “super admin” the way you would reset it for all other users. We decided to target the password reset functionality. As you guessed it’s the “super admin” we really want in the end, but there are a couple of steps in order to get there. There are 2 interesting roles, one is “admin” and the other one is “super admin”. To set up the stage, let’s discuss a bit about user roles in Joomla. However, it also means we will have to work harder to achieve our goals. In addition, by reviewing the code we noticed that defense in depth measures are applied in many places, which is a good sign from a defensive perspective. Strong input validation is applied everywhere, prepared statements are used to protect against sql injections and also type casting is used where integers are required. ![]() Joomla has a strong OOP architecture and a large codebase. We pentested Joomla 3.9.24 and found a password reset vulnerability which we chained with a set of vulnerabilities and features to achieve full compromise of the underlying server. Joomla is one of the most popular CMS-es with over 1.5 million installations world-wide.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |