-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Title: Joomla! session id not hashed
Author: Blazej Adamczyk (br0x)
Date: 2015-06-30
Download site: https://github.com/joomla/joomla-cms/releases/download/3.6.2/Joomla_3.6.2-Stable-Full_Package.zip
Version: 3.6.2 and below
Vendor: https://www.joomla.org/
Vendor Notified: 2016-09-20
Vendor Contact: https://www.joomla.org/
CVSS: 6.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H)

Description:
The session_ids for all joomla users are stored in plaintext in the aprefix_sessiona table. This
allows the attacker to exploit an SQLi to retrieve the session id and access Joomla! backend with
user (victim) privileges. The session_id cookie value should not be stored in the database. A
cryptographic hash function should be used instead and the real cookie should be known only to the
user. On each request Joomla should compare the hash of the cookie with the value stored in db.

This is a well known vector for gaining code execution having only an SQL injection vulnerability in
Joomla! sites. For example, some MSF modules use it to gain code execution (e.g.
joomla_contenthistory_sqli_rce).

The aim of this diclosure is to attract the attention of Joomla! community/developers and start a
dicussion for a proper fix.

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQEcBAEBCAAGBQJX4Qq2AAoJELcOb3l0I/e3tSsIAJy7Gsex+mUuU8rz74jwtzSR
i6laiR2ULkkMWmN7AHrDXxSLgegq+0HbxA315CZ1wg6WT63j0GWE7UYR4I84H69F
2q048H4qDdmX4wetOIVnyeIpyxq2a6/8SrcwVRkAaVjqXUNTQaQwTgusosWF4NvL
YF56h5VznlReb6Kvu5jjb9MalBKvmmDKxwgIWeBQ8pfSop0J0EIuhlZ9DvK3mKpo
5821OI4SfcuxU/gdiP+dQru5ln5ySLQsB59ydeFE8JVLirf1LBesepcimuqAmQiM
j0QxynYFFV/GCuWpbYsQ7JQmMA8UPbRLzEJxvGhLZ1FKFkauUnvAvSZ36pj6zTM=
=fu19
-----END PGP SIGNATURE-----