Joomla! User Bench Component SQL Injection (CVE-2017-20254)

CVE-2017-20254 identifies an SQL injection vulnerability in the Joomla! Component User Bench version 1.0. This flaw allows an unauthenticated attacker to execute arbitrary SQL queries against the underlying database. The vulnerability specifically lies in the userid parameter when accessed via the option=com_userbench&view=detail GET request to index.php. Attackers can inject malicious SQL code, enabling them to bypass authentication, extract sensitive information such as user credentials, hashed passwords, and critical configuration data from the database. This vulnerability poses a significant risk to the confidentiality and integrity of Joomla! installations running the affected component.

Attack Chain

1. Initial Access (Web Request): An unauthenticated attacker sends a crafted HTTP GET request to a vulnerable Joomla! instance running the User Bench 1.0 component.
2. Vulnerability Exploitation (SQL Injection): The GET request targets index.php with parameters option=com_userbench&view=detail&userid=, where the userid parameter contains a malicious SQL injection payload (e.g., ' UNION SELECT user,password FROM jos_users-- -).
3. Database Query Manipulation: The vulnerable component processes the userid parameter without proper sanitization, leading to the attacker's SQL payload being directly appended and executed within the backend database query.
4. Information Disclosure: The injected SQL query is designed to extract sensitive data from the database, such as user credentials (usernames, hashed passwords), configuration data, or other proprietary information.
5. Data Exfiltration: The results of the malicious SQL query are returned within the HTTP response, allowing the attacker to exfiltrate the sensitive database information.
6. Impact (Potential): With the extracted credentials, the attacker could gain unauthorized access to the Joomla! administration panel or other connected systems, leading to further compromise, data modification, or service disruption.

Impact

A successful exploitation of CVE-2017-20254 allows unauthenticated attackers to steal sensitive data from the affected Joomla! database. This includes user credentials, database schema, configuration settings, and other critical information. The compromise of credentials could lead to full administrative control over the Joomla! instance, enabling defacement, content manipulation, or the injection of malicious web shells for further system compromise. The severity of impact depends on the criticality of the data stored in the Joomla! database and its connectivity to other internal systems.

Recommendation

• Immediately remove or update the Joomla! Component User Bench to a version that patches CVE-2017-20254, as version 1.0 is vulnerable.
• Deploy the Sigma rules in this brief to your SIEM and tune for your environment to detect exploitation attempts of CVE-2017-20254.
• Ensure web server access logs are collected and ingested into your SIEM, specifically capturing full URI and query parameters, to allow the rules in this brief to function effectively.
• Review web server logs for suspicious GET requests containing SQL injection payloads as described in the Attack Chain.