Authentication Bypass Hits Joomla!

Users of Akeeba Backup for Joomla! are subject to a vulnerability that could allow an attacker to list and download backups created with the Akeeba extension. And with a copy of the backups, an attacker can find database passwords stored at configuration.php and the user list along with their hashed passwords and hashed password-reset tokens.

Content management systems  (CMS) like Joomla! are favorite targets for hackers looking to conprosise websites by serving malware or otherwise wreaking havoc. The target area for the vulnerability is fairly wide, given Akeeba’s 8 million+ downloads, according to Sucuri, which uncovered the flaw.  The vulnerability is present on Joomla websites running Akeeba that have the “Enable front-end and remote backup” option activated.

“Note that the attack requires a very high level of sophistication, such that only an experienced cryptanalyst can understand it,” said Marc-Alexandre Montpas, a Sucuri researcher, in a blog. “This is why it went undetected and unexploited for years. If your site is hacked or got hacked recently, it was not likely through this vulnerability.”

The Akeeba extension contains a full-blown JSON API which allows its users to set up a remote automatic backup system. It also implements advanced encryption mechanisms (using AES with the Cipher-block chaining (CBC) and Counter (CTR) encryption modes) intended to provide a safe way to prevent eavesdroppers from stealing backup for websites that does not have a SSL certificate.

The problem was located in the way Akeeba handled user authentication when an encrypted request was received.

“The extension would simply not go through the authentication routine, based on the assumption that if the user was able to send a valid encrypted JSON payload, he knows the website’s secret key, and if he knows that piece of information it is a legit user,” explained Montpas.

He added, “The problem with this behavior is an attacker could guess another key by brute forcing valid encrypted JSON payloads, one character at a time. Once that’s done, he could communicate with the API just like a legit user would.”

Being able to communicate with the API, an attacker could also use his new capacity to bypass cryptographic protections put in place by Joomla! on password reset requests, which only works against users with administrative privileges that are not super-administrators.

Akeeba has issued a patch for the issue. 

What’s Hot on Infosecurity Magazine?