Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2018.0122 Multiple vulnerability patched in Joomla! 24 May 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Joomla! Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Existing Account Modify Permissions -- Existing Account Cross-site Scripting -- Remote with User Interaction Access Confidential Data -- Existing Account Reduced Security -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2018-11328 CVE-2018-11327 CVE-2018-11326 CVE-2018-11325 CVE-2018-11324 CVE-2018-11323 CVE-2018-11322 CVE-2018-11321 CVE-2018-6378 Member content until: Saturday, June 23 2018 OVERVIEW A vulnerability has been identified in Joomla! in versions prior through 3.8.7. [1][2][3][4][5][6][7][8][9] IMPACT The vendor has provided the following information: "[20180509] - Core - XSS vulnerability in the media manager Project: Joomla! SubProject: CMS Impact: Low Severity: Low Versions: 1.5.0 through 3.8.7 Exploit type: XSS Reported Date: 2017-October-28 Fixed Date: 2018-May-22 CVE Number: CVE-2018-6378 Description Inadequate filtering of file and folder names lead to various XSS attack vectors in the media manager." [1] "[20180508] - Core - Possible XSS attack in the redirect method Project: Joomla! SubProject: CMS Impact: Low Severity: Low Versions: 3.1.2 through 3.8.7 Exploit type: XSS Reported Date: 2018-March-30 Fixed Date: 2018-May-22 CVE Number: CVE-2018-11328 Description Under specific circumstances (a redirect issued with a URI containing a username and password when the Location: header cannot be used), a lack of escaping the user-info component of the URI could result in a XSS vulnerability." [2] "[20180507] - Core - Session deletion race condition Project: Joomla! SubProject: CMS Impact: Medium Severity: Low Versions: 3.0.0 through 3.8.7 Exploit type: Session race condition Reported Date: 2017-July-08 Fixed Date: 2018-May-22 CVE Number: CVE-2018-11324 Description A long running background process, such as remote checks for core or extension updates, could create a race condition where a session which was expected to be destroyed would be recreated." [3] "[20180506] - Core - Filter field in com_fields allows remote code execution Project: Joomla! SubProject: CMS Impact: Moderate Severity: Low Versions: 3.7.0 through 3.8.7 Exploit type: Remote Code Execution Reported Date: 2018-May-14 Fixed Date: 2018-May-22 CVE Number: CVE-2018-11321 Description Inadequate filtering allows users authorised to create custom fields to manipulate the filtering options and inject an unvalidated option." [4] "[20180505] - Core - XSS Vulnerabilities & additional hardening Project: Joomla! SubProject: CMS Impact: Moderate Severity: Moderate Versions: 3.0.0 through 3.8.7 Exploit type:XSS Reported Date:2018-February-02 & 2018-March-27 Fixed Date: 2018-May-22 CVE Number: CVE-2018-11326 Description Inadequate input filtering leads to multiple XSS vulnerabilities. Additionally, the default filtering settings could potentially allow users of the default Administrator user group to perform a XSS attack." [5] "[20180504] - Core - Installer leaks plain text password to local user Project: Joomla! SubProject: CMS Impact: Low Severity: Low Versions: 3.0.0 through 3.8.7 Exploit type: Information Disclosure Reported Date: 2018-February-09 Fixed Date: 2018-May-22 CVE Number: CVE-2018-11325 Description The web install application would autofill password fields after either a form validation error or navigating to a previous install step, and displays the plain text password for the administrator account at the confirmation screen." [6] "[20180503] - Core - Information Disclosure about unpublished tags Project: Joomla! SubProject: CMS Impact: Low Severity: Moderate Versions: 3.1.0 through 3.8.7 Exploit type: Information Disclosure Reported Date: 2018-April-27 Fixed Date: 2018-May-22 CVE Number: CVE-2018-11327 Description Inadequate checks allowed users to see the names of tags that were either unpublished or published with restricted view permission." [7] "[20180502] - Core - Add PHAR files to the upload blacklist Project: Joomla! SubProject: CMS Impact: High Severity: Low Versions: 2.5.0 through 3.8.7 Exploit type: Malicious file upload Reported Date: 2018-March-14 Fixed Date: 2018-May-22 CVE Number: CVE-2018-11322 Description Depending on the server configuration, PHAR files might be handled as executable PHP scripts by the webserver." [8] "[20180501] - Core - ACL violation in access levels Project: Joomla! SubProject: CMS Impact: High Severity: Low Versions: 2.5.0 through 3.8.7 Exploit type: ACL violation Reported Date: 2018-March-08 Fixed Date: 2018-May-22 CVE Number: CVE-2018-11323 Description Inadequate checks allowed users to modify the access levels of user groups with higher permissions." [9] MITIGATION The vendor recommends upgrading to version 3.8.7. [1][2][3][4][5][6][7][8][9] REFERENCES [1] [20180509] - Core - XSS vulnerability in the media manager https://developer.joomla.org/security-centre/737-20180509-core-xss-vulnerability-in-the-media-manager.html [2] [20180508] - Core - Possible XSS attack in the redirect method https://developer.joomla.org/security-centre/736-20180508-core-possible-xss-attack-in-the-redirect-method.html [3] [20180507] - Core - Session deletion race condition https://developer.joomla.org/security-centre/735-20180507-core-session-deletion-race-condition.html [4] [20180506] - Core - Filter field in com_fields allows remote code execution https://developer.joomla.org/security-centre/734-20180506-core-filter-field-in-com-fields-allows-remote-code-execution.html [5] [20180505] - Core - XSS Vulnerabilities & additional hardening https://developer.joomla.org/security-centre/733-20180505-core-xss-vulnerabilities-additional-hardening.html [6] [20180504] - Core - Installer leaks plain text password to local user https://developer.joomla.org/security-centre/732-20180504-core-installer-leaks-plain-text-password-to-local-user.html [7] [20180503] - Core - Information Disclosure about unpublished tags https://developer.joomla.org/security-centre/731-20180503-core-information-disclosure-about-unpublished-tags.html [8] [20180502] - Core - Add PHAR files to the upload blacklist https://developer.joomla.org/security-centre/730-20180502-core-add-phar-files-to-the-upload-blacklist.html [9] [20180501] - Core - ACL violation in access levels https://developer.joomla.org/security-centre/729-20180501-core-acl-violation-in-access-levels.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWwYIAox+lLeg9Ub1AQgspRAAm2b9SpK1z/0RMjqV/vSViLHzbZZJTDnX su23fup4866soWuje0y5iD2vbsHu2Ql6R9wQ3dFU1TvZhWonJNgjdFYuBeL92V0S b3zFVvjXsQay8Iw5keVQ/mJYmsIIGxzvQiYnoHfl1gr/gGVlAOrMpoIvDGGotqsa j+DDOdxWX2Gq2PAcws+ptUfztP5uBvKP3ZoOl+GzA3l/2Qgt11Rl9NNp7Hqezrke psw/HtR92u5j26w1cHLFGNnbPmB+JmxEDE+kR5pTGe47GaJeg+yufVl1CF7jw6ia Cqs9xRtdtLdypRUpLu2iM+6MrQ8GbdK9w37w8KwaR95DynbHuG4/+4n7XdChUp0r YdyQbQrY9ymWsKjgmVem8hVfckwb941VQYG5WqvVFz5SbUtkKzVtIUqIeX7mXpYs JXLyfFpxN7DE0TD2Gghglom4FwLyTZkleeGStWkKl1qhKKlIRGW+z/mPSvJkaSDS 2EHMrmg5bvwCV8FH9TFL/HjtlpHyDCOjE2bAlbbVP9M/7dW0SaOexz0herIV6ODI 6I9e4wvirxRKSt9GtEnFm7R4TTn9FywBrGPGAJvvJ/pbjgARNJjwik6zGtYII2vw OWm6NDiho5aIluQfzfWolfZrZxp0RQKoeBzZlxDIga3WQBXP8zj//7EAK38qWZuM XRvlkfw61tM= =RSSl -----END PGP SIGNATURE-----