Help
Technical Articles
F5 SMEs share good practice.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Technical Forum Quicklinks: No Replies | Active-Not Solved | Recent Solutions
Custom Alert Banner

F5 AppWorld 2024 session proposal deadline extended to Friday, December 8th!

Joomla LDAP Injection Vulnerability (CVE-2017-14596)

Gal_Goldshtein
F5 Employee
F5 Employee

on ‎29-Sep-2017 03:31

In the recent days, a new vulnerability in Joomla has been published (CVE-2017-14596). The vulnerability concerns Joomla installations which have Joomla’s LDAP plugin installed and are using it to authenticate the system’s users. The vulnerability flowing from insufficient input validation in the authentication function of the Joomla LDAP plugin, which allows attackers to inject a specially crafted LDAP query into the LDAP query responsible for validating the entered username and password. By using the wildcard operator (*) in the injected LDAP query and examining the different error messages shown by the application it is possible to enumerate the system’s administrative username and password and consequently take over Joomla and later the machine hosting it.

0151T000003d763QAA.png

Figure 1: Login request exploiting the vulnerability.

Mitigating the 0-day with BIG-IP ASM

BIG-IP ASM customers under any supported BIG-IP version are already protected against this 0-day vulnerability, as the exploitation attempt will be detected by an existing LDAP injection attack signature which can be found in signature sets that include the “LDAP Injection” attack type.

Following are ASM logs of blocked attempts to exploit protected Joomla application.

0151T000003d764QAA.png

Figure 2:  Exploit blocked with Attack Signature (200005005)

Labels:
0 Kudos
Version history
Last update:
‎29-Sep-2017 03:31
Updated by:
F5 Employee
Contributors
Copyright © 2023 Khoros, LLC