-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Title: Joomla! session id not hashed Author: Blazej Adamczyk (br0x) Date: 2015-06-30 Download site: https://github.com/joomla/joomla-cms/releases/download/3.6.2/Joomla_3.6.2-Stable-Full_Package.zip Version: 3.6.2 and below Vendor: https://www.joomla.org/ Vendor Notified: 2016-09-20 Vendor Contact: https://www.joomla.org/ CVSS: 6.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H) Description: The session_ids for all joomla users are stored in plaintext in the aprefix_sessiona table. This allows the attacker to exploit an SQLi to retrieve the session id and access Joomla! backend with user (victim) privileges. The session_id cookie value should not be stored in the database. A cryptographic hash function should be used instead and the real cookie should be known only to the user. On each request Joomla should compare the hash of the cookie with the value stored in db. This is a well known vector for gaining code execution having only an SQL injection vulnerability in Joomla! sites. For example, some MSF modules use it to gain code execution (e.g. joomla_contenthistory_sqli_rce). The aim of this diclosure is to attract the attention of Joomla! community/developers and start a dicussion for a proper fix. -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org iQEcBAEBCAAGBQJX4Qq2AAoJELcOb3l0I/e3tSsIAJy7Gsex+mUuU8rz74jwtzSR i6laiR2ULkkMWmN7AHrDXxSLgegq+0HbxA315CZ1wg6WT63j0GWE7UYR4I84H69F 2q048H4qDdmX4wetOIVnyeIpyxq2a6/8SrcwVRkAaVjqXUNTQaQwTgusosWF4NvL YF56h5VznlReb6Kvu5jjb9MalBKvmmDKxwgIWeBQ8pfSop0J0EIuhlZ9DvK3mKpo 5821OI4SfcuxU/gdiP+dQru5ln5ySLQsB59ydeFE8JVLirf1LBesepcimuqAmQiM j0QxynYFFV/GCuWpbYsQ7JQmMA8UPbRLzEJxvGhLZ1FKFkauUnvAvSZ36pj6zTM= =fu19 -----END PGP SIGNATURE-----