[20190206] - Core - Implement the TYPO3 PHAR stream wrapper
2019-02-12T00:00:00
ID JOOMLA-770 Type joomla Reporter Open Source Matters, Inc. Modified 2019-02-12T00:00:00
Description
The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.
{"id": "JOOMLA-770", "bulletinFamily": "software", "title": "[20190206] - Core - Implement the TYPO3 PHAR stream wrapper", "description": "The phar:// stream wrapper can be used for objection injection attacks. We now disallow usage of the phar:// handler for non .phar-files within the CMS globally by implementing the TYPO3 PHAR stream wrapper.\n", "published": "2019-02-12T00:00:00", "modified": "2019-02-12T00:00:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "href": "https://developer.joomla.org/security-centre/770-20190206-core-implement-the-typo3-phar-stream-wrapper.html?highlight=WyJleHBsb2l0Il0=", "reporter": "Open Source Matters, Inc.", "references": [], "cvelist": ["CVE-2019-7743"], "type": "joomla", "lastseen": "2020-12-24T13:21:27", "edition": 3, "viewCount": 3, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-7743"]}, {"type": "nessus", "idList": ["JOOMLA_393.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310141991"]}], "modified": "2020-12-24T13:21:27", "rev": 2}, "score": {"value": 6.4, "vector": "NONE", "modified": "2020-12-24T13:21:27", "rev": 2}, "vulnersScore": 6.4}, "affectedSoftware": [{"name": "joomla! cms", "operator": "lt", "version": "3.9.3"}], "scheme": null}
{"cve": [{"lastseen": "2021-02-02T07:13:05", "description": "An issue was discovered in Joomla! before 3.9.3. The phar:// stream wrapper can be used for objection injection attacks because there is no protection mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files.", "edition": 8, "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 9.8, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-02-12T18:29:00", "title": "CVE-2019-7743", "type": "cve", "cwe": ["CWE-917", "CWE-502"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-7743"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:joomla:joomla\\!:3.9.2"], "id": "CVE-2019-7743", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-7743", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:joomla:joomla\\!:3.9.2:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-03-01T03:35:35", "description": "According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is prior to 3.9.3. \nIt is, therefore, affected by multiple vulnerabilities:\n\n - An object injection vulnerability exists in Joomla! prior to 3.9.3\n due to the absence of a protection mechanism to prevent the use of \n the phar:// handler for non .phar files. An unauthenticated, remote \n attacker can exploit this to include arbitrary files (CVE-2019-7743).\n\n - A cross-site scripting (XSS) vulnerability exists due to improper \n validation of user-supplied input before returning it to users. \n An unauthenticated, remote attacker can exploit this, by convincing\n a user to click a specially crafted URL, to execute arbitrary script\n code in a user's browser session (CVE-2019-7740, CVE-2019-7741, \n CVE-2019-7744).\n\n - An issue exists in Joomla! prior to 3.9.3. The 'No Filtering' \n textfilter overrides child settings in the Global Configuration.\n This is intended behavior. However, it might be unexpected for \n the user because the configuration dialog lacks an additional \n message to explain this (CVE-2019-7739).\n\nNote that Nessus has not attempted to exploit these issues but has\ninstead relied only on the application's self-reported version number.", "edition": 21, "cvss3": {"score": 9.8, "vector": "AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-02-20T00:00:00", "title": "Joomla! 2.5.0 < 3.9.3 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-7741", "CVE-2019-7743", "CVE-2019-7744", "CVE-2019-7740", "CVE-2019-7739"], "modified": "2021-03-02T00:00:00", "cpe": ["cpe:/a:joomla:joomla\\!"], "id": "JOOMLA_393.NASL", "href": "https://www.tenable.com/plugins/nessus/122346", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122346);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/10/31 15:18:51\");\n\n script_cve_id(\n \"CVE-2019-7739\",\n \"CVE-2019-7740\",\n \"CVE-2019-7741\",\n \"CVE-2019-7743\",\n \"CVE-2019-7744\"\n );\n script_bugtraq_id(\n 107015,\n 107017,\n 107018,\n 107020,\n 107050\n );\n\n script_name(english:\"Joomla! 2.5.0 < 3.9.3 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of Joomla!.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a PHP application that is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version number, the Joomla!\ninstallation running on the remote web server is prior to 3.9.3. \nIt is, therefore, affected by multiple vulnerabilities:\n\n - An object injection vulnerability exists in Joomla! prior to 3.9.3\n due to the absence of a protection mechanism to prevent the use of \n the phar:// handler for non .phar files. An unauthenticated, remote \n attacker can exploit this to include arbitrary files (CVE-2019-7743).\n\n - A cross-site scripting (XSS) vulnerability exists due to improper \n validation of user-supplied input before returning it to users. \n An unauthenticated, remote attacker can exploit this, by convincing\n a user to click a specially crafted URL, to execute arbitrary script\n code in a user's browser session (CVE-2019-7740, CVE-2019-7741, \n CVE-2019-7744).\n\n - An issue exists in Joomla! prior to 3.9.3. The 'No Filtering' \n textfilter overrides child settings in the Global Configuration.\n This is intended behavior. However, it might be unexpected for \n the user because the configuration dialog lacks an additional \n message to explain this (CVE-2019-7739).\n\nNote that Nessus has not attempted to exploit these issues but has\ninstead relied only on the application's self-reported version number.\");\n # https://www.joomla.org/announcements/release-news/5756-joomla-3-9-3-release.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?de138a30\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Joomla! version 3.9.3 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-7743\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/02/12\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/02/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:joomla:joomla\\!\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"joomla_detect.nasl\");\n script_require_keys(\"installed_sw/Joomla!\", \"www/PHP\", \"Settings/ParanoidReport\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"vcf.inc\");\n\nport = get_http_port(default:80, php:TRUE);\n\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp_info = vcf::get_app_info(app:\"Joomla!\", port:port, webapp:TRUE);\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.5.0\", \"fixed_version\" : \"3.9.3\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "openvas": [{"lastseen": "2019-05-29T18:32:11", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-7742", "CVE-2019-7741", "CVE-2019-7743", "CVE-2019-7744", "CVE-2019-7740", "CVE-2019-7739"], "description": "Joomla! is prone to multiple vulnerabilities.", "modified": "2019-05-17T00:00:00", "published": "2019-02-13T00:00:00", "id": "OPENVAS:1361412562310141991", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141991", "type": "openvas", "title": "Joomla! < 3.9.3 Multiple Vulnerabilities", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nCPE = \"cpe:/a:joomla:joomla\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141991\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-02-13 09:32:39 +0700 (Wed, 13 Feb 2019)\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n\n script_cve_id(\"CVE-2019-7739\", \"CVE-2019-7740\", \"CVE-2019-7741\", \"CVE-2019-7742\", \"CVE-2019-7743\",\n \"CVE-2019-7744\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_name(\"Joomla! < 3.9.3 Multiple Vulnerabilities\");\n\n script_category(ACT_GATHER_INFO);\n script_copyright(\"This script is Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"joomla_detect.nasl\");\n script_mandatory_keys(\"joomla/installed\");\n\n script_tag(name:\"summary\", value:\"Joomla! is prone to multiple vulnerabilities.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Joomla! is prone to multiple vulnerabilities:\n\n - The 'No Filtering' textfilter overrides child settings in the Global Configuration. (CVE-2019-7739)\n\n - Inadequate parameter handling in JavaScript code (core.js writeDynaList) could lead to an XSS attack vector.\n (CVE-2019-7740)\n\n - Inadequate checks at the Global Configuration helpurl settings allowed stored XSS. (CVE-2019-7741)\n\n - A combination of specific web server configurations, in connection with specific file types and browser-side\n MIME-type sniffing, causes an XSS attack vector. (CVE-2019-7742)\n\n - The phar:// stream wrapper can be used for objection injection attacks because there is no protection\n mechanism (such as the TYPO3 PHAR stream wrapper) to prevent use of the phar:// handler for non .phar-files.\n (CVE-2019-7743)\n\n - Inadequate filtering on URL fields in various core components could lead to an XSS vulnerability.\n (CVE-2019-7744)\");\n\n script_tag(name:\"affected\", value:\"Joomla! CMS versions 2.5.0 through 3.9.2.\");\n\n script_tag(name:\"solution\", value:\"Update to version 3.9.3 or later.\");\n\n script_xref(name:\"URL\", value:\"https://developer.joomla.org/security-centre/767-20190203-core-additional-warning-in-the-global-configuration-textfilter-settings\");\n script_xref(name:\"URL\", value:\"https://developer.joomla.org/security-centre/769-20190205-core-xss-issue-in-core-js-writedynalist\");\n script_xref(name:\"URL\", value:\"https://developer.joomla.org/security-centre/768-20190204-core-stored-xss-issue-in-the-global-configuration-help-url-2\");\n script_xref(name:\"URL\", value:\"https://developer.joomla.org/security-centre/766-20190202-core-browserside-mime-type-sniffing-causes-xss-attack-vectors\");\n script_xref(name:\"URL\", value:\"https://developer.joomla.org/security-centre/770-20190206-core-implement-the-typo3-phar-stream-wrapper\");\n script_xref(name:\"URL\", value:\"https://developer.joomla.org/security-centre/765-20190201-core-lack-of-url-filtering-in-various-core-components\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\nif (!port = get_app_port(cpe: CPE))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe: CPE, port: port, exit_no_version: TRUE)) exit(0);\nversion = infos['version'];\npath = infos['location'];\n\nif (version_in_range(version: version, test_version: \"2.5.0\", test_version2: \"3.9.2\")) {\n report = report_fixed_ver(installed_version: version, fixed_version: \"3.9.3\", install_path: path);\n security_message(port: port, data: report);\n exit(0);\n}\n\nexit(99);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
