cbcvebase.
CVE-2016-8870
published 2016-11-04

CVE-2016-8870: The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been…

PriorityP183high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.09%
99.6th percentile
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.

Affected

1 ranges
VendorProductVersion rangeFixed in
joomlajoomla_!<= 3.6.3

Detection & IOCsextracted from sources · hover to see the quote

path/components/com_users/controllers/user.php
filenameexploit.pht
path/images/OGBUHCF5F.pht
otherSetHandler application/x-httpd-php
  • Detect POST requests supplying a `user` array parameter to the Joomla Users component registration endpoint, which is the required input format for the vulnerable UsersControllerUser register method.
  • Alert on file uploads to the Joomla /images/ directory with .pht extensions, which are used in post-exploitation to achieve remote code execution via the SetHandler application/x-httpd-php technique.
  • Use the Fortinet IPS signature 'Joomla.Core.Account.Creation.Elevated.Privileges' to detect exploitation attempts for both CVE-2016-8870 and CVE-2016-8869.
  • ·The vulnerability is only exploitable when user registration has been disabled in Joomla configuration; sites with registration enabled are still vulnerable to the privilege escalation chain (CVE-2016-8869) but the account-creation bypass (CVE-2016-8870) is the specific enabler when registration is off.
  • ·Affected versions are Joomla 3.4.4 through 3.6.3; the fix in 3.6.4 removed the vulnerable secondary register function entirely from user.php rather than adding a configuration check.
  • ·If an email server is configured in Joomla, a confirmation email is sent to the attacker-supplied address and the account is disabled by default until activated, which may delay but not prevent exploitation.

CVSS provenance

nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.