Attack Chain

1. An unauthenticated attacker identifies a vulnerable Joomla! instance running FocalPoint Pro/Free version 1.2.3.
2. The attacker crafts a malicious HTTP GET request targeting index.php on the vulnerable server.
3. The request includes specific parameters: option=com_focalpoint and view=location.
4. The attacker injects SQL commands (e.g., id=1 UNION SELECT USER(), DATABASE()) into the id parameter of this GET request.
5. The vulnerable FocalPoint component processes the request without proper sanitization, leading to the execution of the attacker-supplied SQL queries against the backend database.
6. The database responds to these queries, returning sensitive information such as user credentials, database schemas, or application data within the web application's output.
7. The attacker parses the HTTP response to extract the disclosed sensitive database information.

Impact

Successful exploitation of CVE-2017-20263 grants unauthenticated attackers the ability to extract sensitive information directly from the underlying database of the Joomla! application. This can include confidential user data, hashed passwords, session tokens, and configuration details. Such data exfiltration can lead to severe consequences, including further account compromise, unauthorized access to internal systems, or compliance violations. Organizations in any sector using the vulnerable component are at risk of data breaches and reputational damage if their databases are exposed.

Recommendation

• Patch CVE-2017-20263 by upgrading the Joomla! FocalPoint Pro/Free component to a version beyond 1.2.3 immediately.
• Deploy the Sigma rule "Detects CVE-2017-20263 Exploitation Attempt" to your SIEM system to identify exploitation attempts.
• Enable comprehensive web server access logging to capture full HTTP request details, including query strings, which are essential for the detection rule.