Joomla! LDAP injection leads to bypass the login authentication vulnerability bugCVE-2017-14596-vulnerability warning-the black bar safety net

2017-09-21T00:00:00
ID MYHACK58:62201789411
Type myhack58
Reporter 佚名
Modified 2017-09-21T00:00:00

Description

With more than 8400 million downloads, Joomla! Is now the Internet's most popular CMS. It hosts a collection of world all website content and articles 3. 3 per cent. The use of code elucidating the object RIPS in the login controller detects a snapped celecoxib no invention of the LDAP injection vulnerability flaws bug. This is a vulnerability flaws bugs can incur long-distance attacker using blind techniques broke the super user password, so that it can be via a process of LDAP authentication in a short period of time to take over Joomla! Vulnerability flaws bug the use of the premise Means the following version of the use will be subjected to the performance impact: Joomla! 1.5 Joomla! Set the equipment furnished via the process of LDAP authentication The vulnerability flaws of the bug is not provided by Equipment furnishings disadvantage of the formation, the attacker does not require any permissions it is possible to exploit this vulnerability flaws bug. Vulnerability flaws bugs persecution Via the process using the login page vulnerability in the flaws bug, unprivileged long-distance attacker is able to obtain via the process of LDAP stopped authenticating Do of Joomla! The authentication credentials. These authentication credentials include super user's username and password. Then, the attacker is able to use or obtain the information log in to the administrator control panel and via the process to upload a custom Joomla! Plug-in to get to the Web-based permissions to complete the long-distance code to fulfill. Vulnerability flaws bug elucidating First, in the LoginController in the Joomla! From the login form take over the user output of the user authentication credentials. /administrator/components/com_login/controller.php class LoginController extends JControllerLegacy { public function login() { ⋮ $app = JFactory::getApplication(); ⋮ $model = $this->getModel('login'); $credentials = $model->getState('credentials'); ⋮ $app->login($credentials, array('action' => 'core. login. admin')); } } The authentication credentials passed to the login approach, and then diverted to the authenticate approach. /libraries/cms/application/cms.php class JApplicationCms extends JApplicationWeb { public function login($credentials, $options = array()) { ⋮ $authenticate = JAuthentication::getInstance(); $authenticate->authenticate($credentials, $options); } } /libraries/joomla/authentication/authentication.php class JAuthentication extends JObject { public function authenticate($credentials, $options = array()) { ⋮ $plugin->onUserAuthenticate($credentials, $options, $response); } } Based on the used authentication plugin that authenticate way the authentication credentials passed to the onUserAuthenticate way. If the Joomla! Is set equipment furnished for the use of LDAP to stop the authentication, the LDAP plug-in approach will be appropriated. /plugins/authentication/ldap/ldap.php class PlgAuthenticationLdap extends JPlugin { public function onUserAuthenticate($credentials, $options, &$response) { ⋮ $userdetails = $ldap->simple_search( str_replace( '[search]', $credentials['username'], $this->params->get('search_string') ) ); } } In the LDAP plug-in, user name credentials embedded into the search_string options specified in the LDAP questioning. According to the civil Joomla! Document performance, the search_string set the equipment furnished option is“for the plundered the user's questioning of the string, this in[search]from the login fields in the plundered text indirect exchange”, for example“uid = [search] is.” Then the LDAP questioning is passed to the connection to the LDAP do and perform ldap_search the LdapClient the simple_search way. /libraries/vendor/joomla/ldap/src/LdapClient.php class LdapClient { public function simple_search($search) { $results = explode(';', $search); foreach ($results as $key => $result) { $results[$key] = '(' . $result . ')'; } return $this->search($results); } public function search(array $filters, ...) { foreach ($filters as $search_filter) { $search_result = @ldap_search($res, $dn, $search_filter, $attr);

[1] [2] next