Registration Elevation of Privilege Vulnerability caused by joomla variable Overwrite

A variable overwrite vulnerability exists in the joomla user registration process, which allows attackers to directly register an administrator account.
Detailed description:
/Components/com_users/controllers/registration. php
Public function register ()
{
// Check the token
JRequest: checkToken () or jexit (JText: _ ('jinvalid _ token '));
......
// Initialize the User Registration Module
$ App = JFactory: getApplication ();
$ Model = $ this-> getModel ('registration', 'usersmodel ');
// Obtain the user registration information in this place. The jform array in POST is not specified in detail.
$ RequestData = JRequest: getVar ('jform', array (), 'post', 'array ');
......
// Verify the data
$ Data = $ model-> validate ($ form, $ requestData );
......
// Submit the user registration data to the register module for further analysis.
$ Return = $ model-> register ($ data );
......
// After completing the preceding process, the page is displayed.
If ($ return = 'adminactivate '){
$ This-> setMessage (JText: _ ('com _ USERS_REGISTRATION_COMPLETE_VERIFY '));
$ This-> setRedirect (JRoute: _ ('index. php? Option = com_users & view = registration & layout = complete', false ));
} Elseif ($ return = 'useractivate '){
$ This-> setMessage (JText: _ ('com _ USERS_REGISTRATION_COMPLETE_ACTIVATE '));
$ This-> setRedirect (JRoute: _ ('index. php? Option = com_users & view = registration & layout = complete', false ));
} Else {
$ This-> setMessage (JText: _ ('com _ USERS_REGISTRATION_SAVE_SUCCESS '));
$ This-> setRedirect (JRoute: _ ('index. php? Option = com_users & view = login ', false ));
}
 
 
/Components/com_users/models/registration. php
Public function getData ()
{
If ($ this-> data === null ){
$ This-> data = new stdClass ();
$ App = JFactory: getApplication ();
$ Params = JComponentHelper: getParams ('com _ users ');
......
/* The Default User Group id of www.2cto.com is 2. The joomla group structure is as follows:
Mysql> select * from ilpy2_usergroups;
+ ---- + ----------- + ----- + -------------------------- +
| Id | parent_id | lft | rgt | title |
+ ---- + ----------- + ----- + -------------------------- +
| 1 | 0 | 1 | 20 | Public |
| 2 | 1 | 6 | 17 | Registered |
| 3 | 2 | 7 | 14 | Author |
| 4 | 3 | 8 | 11 | Editor |
| 5 | 4 | 9 | 10 | Publisher |
| 6 | 1 | 2 | 5 | Manager |
| 7 | 6 | 3 | 4 | Administrator |
| 8 | 1 | 18 | 19 | Super Users |
| 12 | 2 | 15 | 16 | Customer Group (Example) |
| 10 | 3 | 12 | 13 | Shop Suppliers (Example) |
+ ---- + ----------- + ----- + -------------------------- +
*/
$ System = $ params-> get ('new _ usertype', 2 );
$ This-> data-> groups [] = $ system;
......
Public function register ($ temp)
{
$ Config = JFactory: getConfig ();
$ Db = $ this-> getDbo ();
$ Params = JComponentHelper: getParams ('com _ users ');
// Initialise the table with JUser.
$ User = new JUser;
// Note that vertex data is added before traversing User Registration Information
$ Data = (array) $ this-> getData ();
// Retrieve Registration Information
Foreach ($ temp as $ k => $ v ){
$ Data [$ k] = $ v;
}
......
// Combine data
If (! $ User-> bind ($ data )){
$ This-> setError (JText: sprintf ('com _ USERS_REGISTRATION_BIND_FAILED ', $ user-> getError ()));
Return false;
}
// Load the users plugin group.
JPluginHelper: importPlugin ('user ');
// Save User Registration Data
If (! $ User-> save ()){
$ This-> setError (JText: sprintf ('com _ USERS_REGISTRATION_SAVE_FAILED ', $ user-> getError ()));
Return false;
}
 
 
Libraries/joomla/user. php
Public function save ($ updateOnly = false)
{
$ Table = $ this-> getTable ();
$ This-> params = (string) $ this-> _ params;
// $ This-> getProperties () stores the user registration information.
$ Table-> bind ($ this-> getProperties ());
// However, joomla has a mechanism that only super users can create and operate super Users. Therefore, the elevation of privilege cannot be so thorough. You can only establish a feasible highest permission Administrator Based on the joomla group mechanism, id is 7
$ IAmSuperAdmin = $ my-> authorise ('Core. admin ');
 
// We are only worried about edits to this account if I am not a Super Admin.
If ($ iAmSuperAdmin! = True)
{
If ($ isNew)
// There are too many posts to be followed.
Proof of vulnerability:
Because groups is initialized to 2, that is, Registered, a two-dimensional array is added to the submitted data during registration. jfrom [groups] [] = 7, use foreach to overwrite the groups array and change it to 7 (Administrator ).
 
 
 


 
Solution:

It seems that with the progress of the program, the previous "loose filtering" and "bypassing filtering" gradually started like the variable is not initialized, and the variable coverage problem has developed, do programmers consider other things that need attention besides filtering and restriction?

Author milk Tank