Analysis of CVE-2020-10239
- A user with Manager group
- Joomla core from 3.7.0 to 3.9.15
A user with Manager group quick acesses:
Select New , at Type field as below picture and result :
Fill in anything and result after selecting Save button:
Error: Only a Super User can create an SQL field!
Scenario: Create a new field with allowed fields as text. After, intercept this request and change to sql field. Expected result: A new SQL field instead of text field.
Create a new field with allowed fields as text as below picture:
And Save button.
Save again, intercept this request and change as above scenario:
From request, having jform%5Btype%5D=text parameter, change to jform%5Btype%5D=sql
Forward and result:
Scroll to add a new SQL query:
UPDATE #__user_usergroup_map SET group_id = 8 WHERE user_id=76 AND group_id=6
Table user_usergroup_map will assign a user with a group user. 8 is Super User group.
76 is the user’s id.
Some ideas about trigger RCE.
- Get Super User‘s session: Only trigger RCE when having Super User‘s session
- SQL query to RCE: Only trigger RCE when it was dba.
- I have chosen by changing me to Super User then trigger RCE: Independence
After saving, How to trigger it?
Go to New a Article, it will trigger:
Now, you are Super User then trigger RCE as:
Error code in:
At onContentBeforeSave function checks wrong condition. isNew parameter to check it whether new or not. But, as the above scenario, Joomla hasn’t checked for updating a field in com_field.
To fix it, Joomla has removed isNew parameter as above picture.
CVE -2020 -10239 allows RCE
Update to 3.9.16 or latest