Attack Chain

1. An unauthenticated attacker identifies a Joomla website using JE Photo Gallery 1.1.
2. The attacker crafts a malicious HTTP GET request targeting the index.php endpoint with the com_jephotogallery component.
3. The attacker injects SQL code into the categoryid parameter of the GET request (e.g., index.php?option=com_jephotogallery&view=category&categoryid=1' AND 1=1--).
4. The Joomla application processes the crafted request, and due to the SQL injection vulnerability, the injected SQL code is executed against the database.
5. The attacker may use SQL injection techniques to extract data from database tables containing usernames, password hashes, and other sensitive information.
6. The extracted data is returned to the attacker through the HTTP response.
7. The attacker analyzes the extracted data to identify valid user credentials.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2018-25433) allows unauthenticated attackers to extract sensitive database information from vulnerable Joomla installations using JE Photo Gallery 1.1. This can lead to the compromise of user accounts, disclosure of sensitive data, and potential unauthorized access to the Joomla website’s administration panel. The vulnerability has a CVSS v3.1 score of 8.2, indicating a high severity.

Recommendation

• Apply the provided Sigma rule Detect CVE-2018-25433 Exploitation - Joomla JE Photo Gallery SQL Injection Attempt to detect attempts to exploit this vulnerability by monitoring web server logs for suspicious categoryid parameter values.
• Inspect web server logs for HTTP GET requests to index.php with the com_jephotogallery component and the categoryid parameter containing SQL injection attempts (e.g., SQL keywords, comments).
• Implement input validation and sanitization for the categoryid parameter in the JE Photo Gallery component to prevent SQL injection attacks.
• Consider removing the vulnerable JE Photo Gallery component if an update is not available or feasible.