Security Centre

• Project: Joomla!
• Severity: High
• Versions: 1.5.0 through 3.6.5
• Exploit type: Remote Code Execution in third-party PHPMailer library
• CVE Numbers: CVE-2016-10033 and CVE-2016-10045

Description

All versions of the third-party PHPMailer library distributed with Joomla! versions up to 3.6.5 are vulnerable to a remote code execution vulnerability. This is patched in PHPMailer 5.2.20 which will be included with Joomla! 3.7. After analysis, the JSST has determined that through correct use of the JMail class, there are additional validations in place which make executing this vulnerability impractical within the Joomla environment. As well, the vulnerability requires being able to pass user input to a message’s “from” address; all places in the core Joomla API which send mail use the sender address set in the global configuration and does not allow for user input to be set elsewhere. However, extensions which bundle a separate version of PHPMailer or do not use the Joomla API to send email may be vulnerable to this issue.

Generally, the Joomla project does not issue advisories regarding third party libraries, however given the severity of this issue we felt it important to advise our users that we are aware of this issue and we have determined that the additional validations in our API prevent triggering this vulnerability.

Affected Installs

Joomla! CMS versions 1.5.0 through 3.6.5

Solution

No action required for Joomla users, the updated library will be included in the next scheduled release and additional mechanisms exist in Joomla core to prevent triggering the vulnerability. Users of the PHPMailer library separate from Joomla are advised to upgrade to 5.2.20 or newer ASAP.

Additional Resources

• https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html
• https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10045-Vuln-Patch-Bypass.html
• https://github.com/PHPMailer/PHPMailer/blob/master/SECURITY.md
• https://github.com/PHPMailer/PHPMailer/wiki/About-the-CVE-2016-10033-and-CVE-2016-10045-vulnerabilities

Contact

The JSST at the Joomla! Security Centre.

Project: Joomla!
SubProject: CMS

Description
Joomla! 3.6.5 includes additional security hardening mechanisms prepared by the JSST, thanks in part to issue reports from Fotis Evangelou and Nicholas Dionysopoulos, which restricts a user’s ability to ma…

• Project: Joomla!
• SubProject: CMS
• Severity: Low
• Versions: 3.0.0 through 3.6.4
• Exploit type: Information Disclosure
• Reported Date: 2016-April-15
• Fixed Date: 2016-December-06
• CVE Number: CVE-2016-9837

Description

Inadequate ACL checks in the Beez3 com_content article layout override enables a user to view restricted content.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.6.4

Solution

Upgrade to version 3.6.5

Contact

The JSST at the Joomla! Security Centre.

• Project: Joomla!
• SubProject: CMS
• Severity: Low
• Versions: 3.0.0 through 3.6.4
• Exploit type: Shell Upload
• Reported Date: 2016-October-26
• Fixed Date: 2016-December-06
• CVE Number: CVE-2016-9836

Description

Inadequate filesystem checks allowed files with alternative PHP file extensions to be uploaded.

Affected Installs

Joomla! CMS versions 3.0.0 through 3.6.4

Solution

Upgrade to version 3.6.5

Contact

The JSST at the Joomla! Security Centre.

• Project: Joomla!
• SubProject: CMS
• Severity: High
• Versions: 1.6.0 through 3.6.4
• Exploit type: Elevated Privileges
• Reported Date: 2016-November-04
• Fixed Date: 2016-December-06
• CVE Number: CVE-2016-9838

Description

Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.

Affected Installs

Joomla! CMS versions 1.6.0 through 3.6.4

Solution

Upgrade to version 3.6.5

Contact

The JSST at the Joomla! Security Centre.

• Project: Joomla!
• SubProject: CMS
• Severity: High
• Versions: 3.4.4 through 3.6.3
• Exploit type: Account Modifications
• Reported Date: 2016-October-26
• Fixed Date: 2016-October-25
• CVE Number: CVE-2016-9081

Description

Incorrect use of unfiltered data allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.

Affected Installs

Joomla! CMS versions 3.4.4 through 3.6.3

Solution

Upgrade to version 3.6.4

Contact

The JSST at the Joomla! Security Centre.

• Project: Joomla!
• SubProject: CMS
• Severity: High
• Versions: 3.4.4 through 3.6.3
• Exploit type: Elevated Privileges
• Reported Date: 2016-October-21
• Fixed Date: 2016-October-25
• CVE Number: CVE-2016-8869

Description

Incorrect use of unfiltered data allows for users to register on a site with elevated privileges.

Affected Installs

Joomla! CMS versions 3.4.4 through 3.6.3

Solution

Upgrade to version 3.6.4

Contact

The JSST at the Joomla! Security Centre.

• Project: Joomla!
• SubProject: CMS
• Severity: High
• Versions: 3.4.4 through 3.6.3
• Exploit type: Account Creation
• Reported Date: 2016-October-18
• Fixed Date: 2016-October-25
• CVE Number: CVE-2016-8870

Description

Inadequate checks allows for users to register on a site when registration has been disabled.

Affected Installs

Joomla! CMS versions 3.4.4 through 3.6.3

Solution

Upgrade to version 3.6.4

Contact

The JSST at the Joomla! Security Centre.

• Project: Joomla!
• SubProject: CMS
• Severity: Low
• Versions: 1.6.0 through 3.6.0
• Exploit type: XSS Vulnerability
• Reported Date: 2016-February-05
• Fixed Date: 2016-August-03
• CVE Number: Requested

Description

Inadequate escaping leads to XSS vulnerability in mail component.

Affected Installs

Joomla! CMS versions 1.6.0 through 3.6.0

Solution

Upgrade to version 3.6.1

Contact

The JSST at the Joomla! Security Centre.

Project: Joomla!
SubProject: CMS
Severity: Low
Versions: 1.6.0 through 3.6.0
Exploit type: ACL Violation
Reported Date: 2016-April-29
Fixed Date: 2016-August-03
CVE Numbers: requested

Description
Inadequate ACL checks in com_content provide potential…