Latest Tweets

Js Jobs 1.1.6 for Joomla! security issue

Preamble

While preparing a new tutorial on CMS vulnerabilities for Linux User & Developer magazine, I came to find a new vulnerability affecting JS Jobs 1.1.6 and earlier for Joomla!. I reported it to the developers (18/12/2016) and to the VEL list as well. As of this writing, there is still no official released patch. This issue has been found by using vim editor and following some code path for the “Company” model inside the component.

Spotting the vulnerability

I started by looking for potential SQL-i vulnerabilities. During my search, I came upon this code snippet:

function getCompanybyIdforForm($id, $uid, $visitor, $vis_email, $jobid) {
        $db = $this->getDBO();
        if (is_numeric($uid) == false)
            return false;
...
}

This function was called from the view component of the Company model. In this function, $uid equals to the numeric value for the user accessing this data. As clearly seen in the code above, there is no checking for whether $uid == 0 ( a non-authenticated user). Therefore, any non-registered user can call this function and obtain the data for a particular company. Going back to the view.html.php file for the Company model we find:

elseif ($layout == 'formcompany') {           // form company
...
  $result = $this->getJSModel('company')->getCompanybyIdforForm($companyid, $uid, '', '', '');
...

Therefore, we can make an HTTP GET Request to the next URL in order to get a filled in form holding any registered company’s data:

http://IP_JOOMLA_SERVER/index.php?option=com_jsjobs&c=company&view=company&layout=formcompany&cd=[idcompany]

Where [idcompany] is a numeric value identifying all the registered companies in the database. Apart from being able to obtain all the data for a particular company, we can modify any field of this form and then store the changes to the database too (the message: “Company has been successfully saved” appears, along with a paradoxical error message telling you that you are not logged in therefore you don’t have access to the private area ;-)).

You can modify any field from the Company form and then save the changes.

Under some circumstances it is even possible to create a new company by calling this form with a non-existing [idcompany].

Fixing the issue

Until JoomSky releases an official patch, it is possible to fix this security issue (at least for non-registered Joomla! users), by checking the value for $uid in the getCompanybyIdforForm function (components/com_jsjobs/views/company/Company.php). Just modify line 37 so it looks like this:

function getCompanybyIdforForm($id, $uid, $visitor, $vis_email, $jobid) {
        $db = $this->getDBO();
        if (is_numeric($uid) == false || $uid == 0)
            return false;

Modify the old Joomscan to detect the vulnerability

Joomscan is an old Joomla! vulnerability scanner developed by OWASP. Although it is quite old, you can leverage it to detect this new vulnerability. First, add this new vulnerability to its database by appending this line to the joomscandb.txt file:

Component: JsJobs 1.1.X (com_jsjobs) Company Data Form vulnerability Versions Affected: 1.1.6 <= |/components/com_jsjobs|/components/com_jsjobs/index.php?option=com_jsjobs&c=common&view=company&layout=formcompany&cd=1

Then, make sure to add this code-snippet to the joomscan.pl file in order to detect the vulnerability (it will look for the form “adminForm” inside the HTTP response from the server):

                case(/com_jsjobs/)
                {
                     my $jsreq = $ua->request(GET $url.$exploit );
                     if ($jsreq->content =~ /name="adminForm" id="adminForm"/gi){
                         $isvuln = 1; 
                     }else{$vulnans = 'No';}
                }

Now, run the tool in order to test it:

./joomscan -u http://JOOMLA_SERVER

….

# 29
Info -> Component: JsJobs 1.1.X (com_jsjobs) Company Data Form vulnerability
Versions Affected: 1.1.6 <=
Check: /components/com_jsjobs/
Exploit: /components/com_jsjobs/index.php?option=com_jsjobs&c=common&view=company&layout=formcompany&cd=1
Vulnerable? Yes

Fix the issue as described and re-run the tool:

./joomscan -u http://JOOMLA_SERVER

# 29
Info -> Component: JsJobs 1.1.X (com_jsjobs) Company Data Form vulnerability
Versions Affected: 1.1.6 <=
Check: /components/com_jsjobs/
Exploit: /components/com_jsjobs/index.php?option=com_jsjobs&c=common&view=company&layout=formcompany&cd=1
Vulnerable? No