Attack Chain

1. An unauthenticated attacker identifies a public-facing web server hosting Joomla! and the vulnerable RPC Responsive Portfolio component version 1.6.1.
2. The attacker crafts an HTTP GET request targeting the index.php path, specifying the vulnerable component parameters: option=com_pofos and view=pofo.
3. A crafted SQL injection payload, such as id=' OR 1=1-- or similar data exfiltration statements, is embedded within the id parameter of the GET request.
4. The web server receives the request and forwards it to the Joomla! application, which processes the RPC Responsive Portfolio component's logic.
5. Due to improper input validation, the vulnerable component concatenates the malicious id parameter value directly into an SQL query executed against the application's database.
6. The database executes the attacker-controlled SQL query, resulting in the retrieval of sensitive information beyond what is authorized for unauthenticated access.
7. The Joomla! application's HTTP response includes the results of the executed SQL query, returning the exfiltrated sensitive data to the attacker.
8. The attacker then parses the received HTTP response to collect and analyze the confidential database information, achieving their objective of unauthorized data disclosure.

Impact

Successful exploitation of CVE-2017-20258 can lead to a severe data breach, compromising the confidentiality of an organization's database. Attackers can extract various forms of sensitive information, including user account details, passwords, proprietary business data, and internal system configurations. Such exfiltration can result in significant financial losses from regulatory penalties and remediation efforts, severe damage to reputation, and potential for further downstream attacks leveraging the stolen data. While specific victim numbers or affected sectors are not detailed in the advisory, any entity running the vulnerable Joomla! component is exposed to these critical risks.

Recommendation

• Prioritize patching or upgrading the Joomla! Component RPC Responsive Portfolio to a version that remediates CVE-2017-20258 immediately upon availability.
• Deploy the provided Sigma rule "Detect CVE-2017-20258 Joomla! SQL Injection Attempt" to your SIEM/detection platform to identify and alert on attempted exploitation.
• Implement or strengthen Web Application Firewall (WAF) policies to detect and block common SQL injection patterns, specifically targeting the id parameter in requests to index.php?option=com_pofos&view=pofo.
• Regularly review web server access logs for suspicious requests matching the URL pattern index.php?option=com_pofos&view=pofo&id=[SQL] as identified in the IOCs section.