CVE-2016-8870
published 2016-11-04CVE-2016-8870: The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been…
PriorityP183high8.1CVSS 3.0
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
82.09%
99.6th percentile
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomla | joomla_! | <= 3.6.3 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests supplying a `user` array parameter to the Joomla Users component registration endpoint, which is the required input format for the vulnerable UsersControllerUser register method. ↗
- →Alert on file uploads to the Joomla /images/ directory with .pht extensions, which are used in post-exploitation to achieve remote code execution via the SetHandler application/x-httpd-php technique. ↗
- →Use the Fortinet IPS signature 'Joomla.Core.Account.Creation.Elevated.Privileges' to detect exploitation attempts for both CVE-2016-8870 and CVE-2016-8869. ↗
- ·The vulnerability is only exploitable when user registration has been disabled in Joomla configuration; sites with registration enabled are still vulnerable to the privilege escalation chain (CVE-2016-8869) but the account-creation bypass (CVE-2016-8870) is the specific enabler when registration is off. ↗
- ·Affected versions are Joomla 3.4.4 through 3.6.3; the fix in 3.6.4 removed the vulnerable secondary register function entirely from user.php rather than adding a configuration check. ↗
- ·If an email server is configured in Joomla, a confirmation email is sent to the attacker-supplied address and the account is disabled by default until activated, which may delay but not prevent exploitation. ↗
CVSS provenance
nvdv3.08.1HIGHCVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-f3v8-7jfc-xgvg: The register method in the UsersModelRegistration class in controllers/user
ghsa_unreviewed·2022-05-17
CVE-2016-8870 [HIGH] CWE-20 GHSA-f3v8-7jfc-xgvg: The register method in the UsersModelRegistration class in controllers/user
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.
VulnCheck
Joomla! Joomla! Improper Input Validation
vulncheck·2016·CVSS 8.1
CVE-2016-8870 [HIGH] Joomla! Joomla! Improper Input Validation
Joomla! Joomla! Improper Input Validation
The register method in the UsersModelRegistration class in controllers/user.php in the Users component in Joomla! before 3.6.4, when registration has been disabled, allows remote attackers to create user accounts by leveraging failure to check the Allow User Registration configuration setting.
Affected: Joomla! Joomla!
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://blog.sucuri.net/2016/10/joomla-mass-exploits-privilege-vulnerability.html
No detection rules found.
Exploit-DB
Joomla! 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation
exploitdb·2016-10-27
CVE-2016-8869 Joomla! 3.4.4 < 3.6.4 - Account Creation / Privilege Escalation
Joomla! 3.4.4
SetHandler application/x-httpd-php
Usage
Choose the username, password and e-mail address to use and point it at the URL for your Joomla website. Use the -x and -s options to customise exploit behaviour, -s searches for the given string in the output after running the PHP file (specified in -x), an example is provided which proves remote code execution.
$ ./joomraa.py -u hacker -p password -e [email protected] http://localhost:8080/joomla
@@@ @@@@@@ @@@@@@ @@@@@@@@@@ @@@@@@@ @@@@@@ @@@@@@ @@@
@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@@@@ @@@@@@@@ @@@@@@@@ @@@@@@@@ @@@
@@! @@! @@@ @@! @@@ @@! @@! @@! @@! @@@ @@! @@@ @@! @@@ @@!
!@! !@! @!@ !@! @!@ !@! !@! !@! !@! @!@ !@! @!@ !@! @!@ !@
!!@ @!@ !@! @!@ !@! @!! !!@ @!@ @!@!!@! @!@!@!@! @!@!@!@! @!@
!!! !@! !!! !@! !!! !@! ! !@! !!@!@!
Metasploit
Joomla Account Creation and Privilege Escalation
metasploit
Joomla Account Creation and Privilege Escalation
Joomla Account Creation and Privilege Escalation
This module creates an arbitrary account with administrative privileges in Joomla versions 3.4.4 through 3.6.3. If an email server is configured in Joomla, an email will be sent to activate the account (the account is disabled by default).
arXiv
On generating network traffic datasets with synthetic attacks for intrusion detection
arxiv_fulltext·2019-05-01
On generating network traffic datasets with synthetic attacks for intrusion detection
[On generating network traffic datasets with synthetic attacks for intrusion detection]On generating network traffic datasets with synthetic attacks for intrusion detection
Carlos Garcia Cordero
Technische Universität Darmstadt
Telecooperation Group
Darmstadt
Hessen
64289
Germany
Emmanouil Vasilomanolakis
Aalborg University
Electronic Systems, Center for Communication, Media and Information technologies
Copenhagen
2450
Denmark
Aidmar Wainakh
Max Mühlhäuser
Technische Universität Darmstadt
Telecooperation Group
Darmstadt
Hessen
64289
Germany
Simin Nadjm-Tehrani
Linköping University
Real-time Systems Laboratory
Linköping
S-581 83
Sweden
## Abstract
Most research in the area of intrusion detection requires datasets to develop, evaluate or compare systems in one way or another. In th
Fortinet
Joomla – From Nowhere to High Privilege
blogs_fortinet·2016-10-27·CVSS 9.8
CVE-2016-8870 [CRITICAL] Joomla – From Nowhere to High Privilege
FORTIGUARD LABS THREAT RESEARCH
Joomla – From Nowhere to High Privilege
By Tien Phan | October 27, 2016
Joomla, a popular free and open-source content management system, just released version 3.6.4 that fixed two critical vulnerabilities:
[CVE-2016-8870] - Core - Account Creation: attackers can exploit this vulnerability to create any account in a Joomla system regardless of whether its registration has been disabled.
[CVE-2016-8869] - Core - Elevated Privileges: with the vulnerability above, an attacker not only can register an account in a vulnerable system, but also register with the highest privilege – Administrator.
We took a deeper dive to see how these exploits tick and would like to congratulate Davide Tampellini on his first CVE discovery.
CVE-2016-8870 - From no one to havin
http://www.rapid7.com/db/modules/auxiliary/admin/http/joomla_registration_priveschttp://www.securityfocus.com/bid/93876http://www.securitytracker.com/id/1037107http://www.securitytracker.com/id/1037108https://blog.sucuri.net/2016/10/details-on-the-privilege-escalation-vulnerability-in-joomla.htmlhttps://developer.joomla.org/security-centre/659-20161001-core-account-creation.htmlhttps://github.com/joomla/joomla-cms/commit/bae1d43938c878480cfd73671e4945211538fdcfhttps://medium.com/%40showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2#.rq4qh1v4rhttps://www.exploit-db.com/exploits/40637/http://www.rapid7.com/db/modules/auxiliary/admin/http/joomla_registration_priveschttp://www.securityfocus.com/bid/93876http://www.securitytracker.com/id/1037107http://www.securitytracker.com/id/1037108https://blog.sucuri.net/2016/10/details-on-the-privilege-escalation-vulnerability-in-joomla.htmlhttps://developer.joomla.org/security-centre/659-20161001-core-account-creation.htmlhttps://github.com/joomla/joomla-cms/commit/bae1d43938c878480cfd73671e4945211538fdcfhttps://medium.com/%40showthread/joomla-3-6-4-account-creation-elevated-privileges-write-up-and-exploit-965d8fb46fa2#.rq4qh1v4rhttps://www.exploit-db.com/exploits/40637/
2016-11-04
Published
Exploited in the wild