Joomla vulnerability analysis: account creation and privilege escalation

Two critical vulnerabilities found in Joomla

What are these two vulnerabilities? The first concerns the possibility of creating an account [1] while the second allows privilege escalation [2].


A key point about these flaws is that they affect the CMS engine and not a plugin that would have been poorly developed by a third party developer as it is usually the case.

These vulnerabilities affect Joomla versions from 3.4.4 to 3.6.3. Sites using this CMS have been vulnerable since September 8 2015, the release date of version 3.4.4.

A security patch is already available via version 3.6.4.

The patch

In order to understand the problem more effectively, we looked at the difference between the 3.6.3 and 3.6.4 versions on the Joomla github [3].

Détection des failles joomla avec Orange Cyberdefense

As we can see, the “register” method of the user controller has been removed in this patch. This method allowed the creation of a user, so we will analyse the mechanics of user registration.

First vulnerability: account creation

When the user registration option is authorised, the following form is available:

Détection des failles joomla avec Orange Cyberdefense

So we used a web proxy to analyze the queries between the browser and the CMS, to better understand the kinematics.

We see that the form is sent with the values entered by the user and others that were present in hidden fields. The interesting parts to analyze are the URL and the body of the message.

In effect, we can see the presence of a “task” parameter in the URL with the value “registration.register” (which we also find in the body of the request). This refers to the “register” method of the “registration” controller that we requested.

The body of the query is as follows:

Détection des failles joomla avec Orange Cyberdefense

We note the presence of an “option” parameter with the value “com_users”, which refers to the component “com_users” that is located in the “components” directory.

If we look at the beginning of the code associated with the “register” method of the “registration” controller of the “com_users” component, we have this:

Détection des failles joomla avec Orange Cyberdefense

The component then checks that we are allowed to register.

When we look at the code that was deleted in the “user” controller, there was no checking to see if we were allowed to execute the code.

So, instead of calling it “registration.register”, if we called it  “user.register” we could create an account without having to be authorized.

Second vulnerability: the elevation of privilege

A user is associated with one or more user groups. The Administrators group is a particular group with a number of priviledges.

Thus, in order to perform a privilege elevation, we include the groups we want to join and add the administrator group identifier in the query in order to have full control of the Joomla CMS.

Joomla vulnerabilities: our recommendations

Since the detection of these flaws, massive attacks can be made against all Joomla CMS exposed on the Internet. We have found that these vulnerabilities are critical since they allow any attacker to create a user account with administrative rights on the CMS. Once this account is created, the attacker can then install a malicious Joomla plugin (backdoor / webshell) in order to keep a persistent access even when the CMS is updated.

We strongly recommend that you install the patch by migrating to version 3.6.4, but also check the integrity of the files to ensure that no backdoor is present on your servers.




About the blogger

Fabien Jobin is a cybersecurity consultant at Orange Cyberdefense.

Follow us on: