cbcvebase.
CVE-2016-8869
published 2016-11-04

CVE-2016-8869: The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain…

PriorityP189critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
97.43%
99.9th percentile
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4 allows remote attackers to gain privileges by leveraging incorrect use of unfiltered data when registering on a site.

Affected

1 ranges
VendorProductVersion rangeFixed in
joomlajoomla_!<= 3.6.3

Detection & IOCsextracted from sources · hover to see the quote

pathcontrollers/user.php
filenameexploit.pht
urlhttp://localhost:8080/joomla/images/OGBUHCF5F.pht
otherSetHandler application/x-httpd-php
  • Detect POST data containing the `user` array name in registration requests directed at the secondary controller, as this is the required parameter format for the vulnerable UsersControllerUser register method.
  • Alert on uploads of `.pht` files to the Joomla `/images/` directory, as the exploit uploads a PHP-executable file with a `.pht` extension to achieve remote code execution post-privilege-escalation.
  • Use Fortinet IPS signature `Joomla.Core.Account.Creation.Elevated.Privileges` to detect exploitation attempts for both CVE-2016-8870 and CVE-2016-8869.
  • The Metasploit auxiliary module `auxiliary/admin/http/joomla_registration_privesc` targets Joomla versions 3.4.4 through 3.6.3; presence of this module in use should be treated as an active exploitation indicator.
  • ·The privilege escalation (CVE-2016-8869) is only exploitable via the secondary `UsersControllerUser` register method; the default `UsersControllerRegistration` path correctly filters the `groups` parameter. Detection logic must distinguish between the two task values.
  • ·If an email server is configured in Joomla, a confirmation email is sent and the created account is disabled by default until activated; detection should also cover account activation requests following suspicious registrations.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.