Joomla is a free open source content management system (CMS), recently researchers found that there are two vulnerabilities in its version 3.4.4 to 3.6.3 are: CVE-2016-8869 , CVE-2016-8870 . Today, i am going to analyze only CVE-2016-8870 vulerability. To exploit the vulnerability, an attacker can allows for users to register on a site when registration has been disabled. Joomla official release of this vulnerability has been upgraded announcement.

For analysis, you can get Joomla version 3.6.3 here.  In the vulnerable version, we can see an interesting thing, there are two methods for user registration exist.

  1. Look at components/com_users/controllers/registration.php file, you can see
    UsersControllerRegistration::register() functionpublic function register()
    {
    // Check for request forgeries.
    JSession::checkToken() or jexit(JText::_(‘JINVALID_TOKEN’));// If registration is disabled – Redirect to login page.
    if (JComponentHelper::getParams(‘com_users’)->get(‘allowUserRegistration’) == 0)
    {
    $this->setRedirect(JRoute::_(‘index.php?option=com_users&view=login’, false));return false;
    }

    $app = JFactory::getApplication();
    $model = $this->getModel(‘Registration’, ‘UsersModel’);

    // Get the user data.
    $requestData = $this->input->post->get(‘jform’, array(), ‘array’);

    // Validate the posted data.
    $form = $model->getForm();


    }

  2. Look at components/com_users/controllers/user.php file, you can see
    UsersControllerUser::register() function
    public function register()
    {
    JSession::checkToken(‘post’) or jexit(JText::_(‘JINVALID_TOKEN’));// Get the application
    $app = JFactory::getApplication();// Get the form data.
    $data = $this->input->post->get(‘user’, array(), ‘array’);// Get the model and validate the data.
    $model = $this->getModel(‘Registration’, ‘UsersModel’);

    $form = $model->getForm();


    }

Comparing UsersControllerRegistration::register() function and UsersControllerUser::register() function, there is a awesome thing:

// If registration is disabled – Redirect to login page.
if (JComponentHelper::getParams(‘com_users’)->get(‘allowUserRegistration’) == 0)
{
$this->setRedirect(JRoute::_(‘index.php?option=com_users&view=login’, false));

return false;
}

If we can use UsersControllerUser::register() fuction to register, this method can bypass the detection. Although not used properly registered UsersControllerUser::register(), But it does not mean we can not use. Read the code we can see, as long as the request packet will be modified as follows to use loopholes in the function register

  • registration.register -> user.register
  • jform[*] -> user[*]

capture

 

How to fix

Upgrade to Joomla 3.6.4 version.