Vulnerability report written by the TA team by analyzing "Joomla! CMS Security Bypass (CVE-2023-23752)"
CVE-2023-23752 is a vulnerability found in Joomla! versions 4.0.0 through 4.2.7 that allows unauthorized access to web service endpoints due to incorrect access validation. This can lead to a risk that a malicious user can access the system without authentication or manipulate data. The REST API api/index.php, one of Joomla's default routing entries, is blocked by default, but can be accessed by including a specific parameter (public=true). This API can expose sensitive configuration information such as database accounts and passwords. In response, it is necessary to apply the latest security patches for the affected versions, strengthen access control at the server level, and block data via a Web Application Firewall (WAF).
Source: https://www.idappcom.co.uk/post/joomla-cms-security-bypass-cve-2023-23752
Source: https://xz.aliyun.com/t/12175?time__1311=GqGxRDuDgA0%3D%3DGN4eeTq18e40KD%3DDcnQWoD
CVE-2023-23752 is a vulnerability found in Joomla! versions 4.0.0 through 4.2.7 that allows unauthorized access to web service endpoints due to incorrect access validation. This can lead to a risk that a malicious user can access the system without authentication or manipulate data. The REST API api/index.php, one of Joomla's default routing entries, is blocked by default, but can be accessed by including a specific parameter (public=true). This API can expose sensitive configuration information such as database accounts and passwords. In response, it is necessary to apply the latest security patches for the affected versions, strengthen access control at the server level, and block data via a Web Application Firewall (WAF).
1. Overview
CVE-2023-23752 is a vulnerability in Joomla! versions from 4.0.0 to 4.2.7. The vulnerability allows unauthorised access to a web service endpoint due to an incorrect access check. As a result, a risk exists that a malicious user could access data or manipulate the system without authentication.
Source: https://www.idappcom.co.uk/post/joomla-cms-security-bypass-cve-2023-23752
2. Attack Type
In Joomla's default routing entries, the APIs under api/index.php, which are REST APIs for developers, are inaccessible by default. However, certain APIs can be accessed by including public=true in the parameter, which allows access to internal information.
Source: https://xz.aliyun.com/t/12175?time__1311=GqGxRDuDgA0%3D%3DGN4eeTq18e40KD%3DDcnQWoD
- Accessible APIs
v1/banners
v1/banners/:id
v1/banners/:id/contenthistory
v1/banners/:id/contenthistory/keep
v1/banners/clients
v1/banners/clients/:id
v1/banners/categories
v1/banners/categories/:id
v1/config/application
v1/config/:component_name
v1/contacts/form/:id
v1/contacts
v1/contacts/:id
v1/contacts/categories
v1/contacts/categories/:id
v1/fields/contacts/contact
v1/fields/contacts/contact/:id
v1/fields/contacts/mail
v1/fields/contacts/mail/:id
v1/fields/contacts/categories
v1/fields/contacts/categories/:id
v1/fields/groups/contacts/contact
v1/fields/groups/contacts/contact/:id
v1/fields/groups/contacts/mail
v1/fields/groups/contacts/mail/:id
v1/fields/groups/contacts/categories
v1/fields/groups/contacts/categories/:id
v1/contacts/:id/contenthistory
v1/contacts/:id/contenthistory/keep
v1/content/articles
v1/content/articles/:id
v1/content/categories
v1/content/categories/:id
v1/fields/content/articles
v1/fields/content/articles/:id
v1/fields/content/categories
v1/fields/content/categories/:id
v1/fields/groups/content/articles
v1/fields/groups/content/articles/:id
v1/fields/groups/content/categories
v1/fields/groups/content/categories/:id
v1/content/articles/:id/contenthistory
v1/content/articles/:id/contenthistory/keep
v1/extensions
v1/languages/content
v1/languages/content/:id
v1/languages/overrides/search
v1/languages/overrides/search/cache/refresh
v1/languages/overrides/site/zh-CN
v1/languages/overrides/site/zh-CN/:id
v1/languages/overrides/administrator/zh-CN
v1/languages/overrides/administrator/zh-CN/:id
v1/languages/overrides/site/en-GB
v1/languages/overrides/site/en-GB/:id
v1/languages/overrides/administrator/en-GB
v1/languages/overrides/administrator/en-GB/:id
v1/languages
v1/media/adapters
v1/media/adapters/:id
v1/media/files
v1/media/files/:path
v1/menus/site
v1/menus/site/:id
v1/menus/administrator
v1/menus/administrator/:id
v1/menus/site/items
v1/menus/site/items/:id
v1/menus/administrator/items
v1/menus/administrator/items/:id
v1/menus/site/items/types
v1/menus/administrator/items/types
v1/messages
v1/messages/:id
v1/modules/types/site
v1/modules/types/administrator
v1/modules/site
v1/modules/site/:id
v1/modules/administrator
v1/modules/administrator/:id
v1/newsfeeds/feeds
v1/newsfeeds/feeds/:id
v1/newsfeeds/categories
v1/newsfeeds/categories/:id
v1/plugins
v1/plugins/:id
v1/privacy/requests
v1/privacy/requests/:id
v1/privacy/requests/export/:id
v1/privacy/consents
v1/privacy/consents/:id
v1/redirects
v1/redirects/:id
v1/tags
v1/tags/:id
v1/templates/styles/site
v1/templates/styles/site/:id
v1/templates/styles/administrator
v1/templates/styles/administrator/:id
v1/users
v1/users/:id
v1/fields/users
v1/fields/users/:id
v1/fields/groups/users
v1/fields/groups/users/:id
v1/users/groups
v1/users/groups/:id
v1/users/levels
v1/users/levels/:id
- This API is used to get the most important configuration information for your website, including database accounts and passwords.
3. Response
The universal response to the CVE-2023-23752 vulnerability is as follows:- If you are using Joomla! If you are using versions from 4.0.0 to 4.2.7, you must have the latest security patch
- Enforce access controls at the server level and block data with WAF capabilities
