Joomla is used in many websites as a popular content management system. On February 16, 2023, a critical vulnerability with the identifier “CVE-2023-23752” was announced for Joomla. This vulnerability allows unauthorized users to access sensitive information on the website.
Although the CVSS score of the vulnerability is defined as “5.3”, its impact is actually critical and CWE ID: CWE-284
Affected Versions: Joomla! 4.0.0 – 4.2.7
The critical information that has been revealed includes database information such as “db_name, db_user, db_password, hostname“.
This blog post will cover the essential technical analysis of the Improper Access Control vulnerability with the identifier CVE-2023-23752 that has been published for Joomla, how it can be exploited, and proposed solutions for resolving the vulnerability.
Affected Joomla Systems Worldwide
According to the output of the query we made through the Censys search engine, there are “1,422,429” potential Joomla websites affected by the CVE-2023-23752 vulnerability worldwide.
Again, according to the results from Censys.io, only “7,079” of the identified Joomla sites have port 3306 (default MySQL port) open to the outside.
Considering that the vulnerability is leakage of database information, it is seen that the actual affected systems are quite small compared to all Joomla-using sites. The fact that the affected systems are relatively less does not mean that the vulnerability can be ignored. We explain what kind of damages can be caused to the system through an infected Joomla in the rest of our article.
When a GET request is made to a Joomla website affected by the CVE-2023-23752 vulnerability in the form of “/api/index.php/v1/config/application?public=true” you will get a result as shown in the screenshot below.
When the response returned by the request is examined, it is understood that critical information containing database information is exposed.
The single endpoint in Joomla! CMS is not “/api/index.php/v1/config/application?public=true”. According to the latest findings, there are a total of 241 API endpoints. As the Cyberthint Team, we published a PoC by exploiting through these 241 API endpoints: CVE-2023-23752 PoC
After this stage, attackers’ first target will be to access the database using the exposed information. However, for this, the database port of the relevant system (MySQL: 3306 (default)) must be open to the outside. If the database port of the server affected by the vulnerability is accessible from outside (from any IP address), the database can be accessed directly with the exposed login information. If the database port of the affected server is accessible from the outside, direct access to the database can be obtained with the exposed login information. What happens next can result in admin panel access or webshell (backdoor) installation on the server by capturing critical information from the database tables.
Some possible events that attackers could carry out if they gain access to the database are:
- Disclosure of Personal Information and Identity Theft: Databases usually contain details of systems, and parts of these details are users’ personal information. Therefore, it may result in the theft or disclosure of sensitive personal information such as users’ name, address, telephone number, e-mail address. This situation may even allow attackers to create false identities or make financial transactions using this information.
- Stealing Credit Card Information: Databases may also contain customers’ credit card information, which is rare today, but possible. The theft of credit card information allows attackers to misuse this information to make expenses or commit identity theft.
- Damage to Company’s Image: The exposure of a company’s web database can seriously damage its image and cause customers to lose trust, leading to customer and financial losses.
- Legal Sanctions: Data breaches can result in legal sanctions. Companies are responsible for protecting personal information, and failing to do so can lead to legal liability.
These items can be further diversified…
A vulnerability directly affecting the database can have critical consequences. Therefore, it is important to fix the relevant vulnerability quickly.
The first thing to do to fix this vulnerability is to update the Joomla! version to 4.2.8. This is currently the latest version and provides a sufficient solution to ensure you are not affected by the CVE-2023-23752 vulnerability.
Other than that, other actions are:
Database Hardening for Access Controls: Tightening database access permissions can prevent unauthorized access. Database access permissions should be restricted to authorized users and roles that allow necessary access. Additionally, it is recommended to close off outside access to the database port or restrict IP access if the service needs to remain open.
Database Encryption: Database encryption can help protect data even if it is stolen. Encrypting data in the database makes it harder for attackers to read and use the data if it is stolen.
Database Backups: Database backups can reduce the potential impact of database vulnerabilities. Regular database backups should be taken and the security of backed-up data should be ensured.
Firewall: Firewalls can help prevent database attacks. Firewalls sit between the database server and the web server and can detect and block (known) cyber attacks.
- Security Tests: Security testing (penetration testing) can identify vulnerabilities and weaknesses in the database, the network, and the web application, and can provide recommendations for improving security.