Joomla! 3.7.0 SQL injection attack vulnerability analysis-vulnerability warning-the black bar safety net

Joomla is a world second most popular content management system. It uses the PHP language together with MySQL database the development of the software system, can in Linux, Windows, MacOSX, etc. a variety of different platforms perform, and currently by the open source organization Open Source Matters for development and support.
Joomla actually there are two open source stuff:
1, the Joomla content management system that JoomlaCMS（Content Management System, CMS in. It is the site of a base Management Platform, almost for from personal websites to Department store sales types of all kinds of websites.
2, the Joomla Platform the Joomla framework. Theoretically, it is almost omnipotent, in addition to the website, you can also perform a wide range of web development, mobile application development, etc.
If your website is based on the popular Joomla content management system, make sure that you have your Platform Update to today’s release of the latest version.
Text:
Vulnerability description:
Project: Joomla!
Sub-project: CMS
Severity: high
Affects versions: 3.7.0
Vulnerability type: SQL injection
CVE number: CVE-2017-8917
Whether you suffered a threat?
Joomla 3.7 version after the introduction of a new component “com_fields”, this component will lead to easily exploitable, and does not require the victim on the site of high authority, which means that anyone can By to Site a malicious access using this vulnerability.
SQL injectionoccurs is the nature of the request data filter is not strict, so the attacker in this there are many articles can do–for example, reveal the user’s password hash value Hash, the login after the user’s session control in the second case, if it is to get to the login after the administrator of the session, then the entire site’s back-end system may be controlled.
Technical details
com_fields components from the same name of the management-side components that inherit some of the view, which allows re-use for another party to write generic code, without the need to start over.
! [](/Article/UploadPic/2017-5/20175204029256. png? www. myhack58. com)
From the above code fragment can be seen,$config[‘base_path’]variable’s value is by JPATH_COMPONENT_ADMINISTRATOR constant conduction of the past, the value representative of the administrator components directory of the local path. Thus, Joomla can be according to this path to obtain the view parameters and module layout.
Build the URL as follows:
/index. php? option=com_fields&view=fields&layout=modal
view Parameters Value: fields
the layout parameter values: modal
Access to this URL can be displayed on the site of all of the available Custom Fields list.
Only can get into the administrator view is fields-doing this from an admin-side model to grab data, we are speaking in front of the $ config [‘base_path’]variables.
In this case, based on the MarchModelFields model
./ administrator/components/com_fields/models/fields. php files included in our discovery of that vulnerability.
The culprit may be in the getListQuery method to find.
! [](/Article/UploadPic/2017-5/20175204029850. png? www. myhack58. com)
For those not familiar with Joomla the people,“Execute SQL statement query, $ query-> order（） ” this method can do really only the input content access a query’s ORDER BY statement.
! [](/Article/UploadPic/2017-5/20175204029472. png? www. myhack58. com)
The user input will start after the list. fullordering state, because FieldsModelFields model is from the JModelList class is inherited, it also contains the above code snippet.
You may notice that it will be content to perform some validation, and then accordingly set list. direction and list. ordering, but the list. fullordering how?
! [](/Article/UploadPic/2017-5/20175204029327. png? www. myhack58. com)
In the switch statement, regardless of whether it generates a valid list. direction or list. ordering, we can control the line of command to achieve we want to value.
So in order to exploit this vulnerability, an attacker would have to do is to add the URL of the appropriate parameters, in order to inject into the SQL query.
Repair recommendations
Upgrade to the latest version of the full install package or the upgrade patch
https://downloads.joomla.org/cms/joomla3/3-7-1