{"id":22281,"date":"2024-10-21T01:07:18","date_gmt":"2024-10-21T08:07:18","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?post_type=vulnerability_notice&p=22281"},"modified":"2024-10-24T01:11:31","modified_gmt":"2024-10-24T08:11:31","slug":"cve-2015-8562","status":"publish","type":"vulnerability_notice","link":"https:\/\/webdev.securin.xyz\/vulnerability-notice\/cve-2015-8562\/","title":{"rendered":"CVE-2015-8562"},"content":{"rendered":"

Description<\/strong><\/h3>\n

A critical vulnerability, identified as CVE-2015-8562, has been detected in Joomla! versions 1.5.x, 2.x, and 3.x before 3.4.6. This vulnerability allows remote attackers to conduct PHP object injection attacks and execute arbitrary PHP code via the HTTP User-Agent header, with instances of exploitation being observed in the wild in December 2015.<\/p>\n

 <\/p>\n

Affected Product(s)<\/strong><\/h3>\n

Joomla! CMS versions 1.5.x, 2.x, and 3.x before 3.4.6<\/p>\n

 <\/p>\n

Technical Details<\/strong><\/h3>\n

The technical details of CVE-2015-8562 highlight a remote code execution vulnerability within Joomla\\! CMS\u2019s session handling code. This vulnerability stems from improper input sanitization of the User-Agent HTTP header, which becomes problematic when user-supplied data is stored within the database’s session table.<\/p>\n

This vulnerability was active until Joomla\\! CMS version 3.4.5, prior to the issuance of the patch in version 3.4.6. Joomla\\! is a widely used open-source content management system (CMS) written in PHP. Leveraging a model-view-controller (MVC) web application framework, Joomla\\! boasts various features like page caching, RSS feeds, and language internationalization, making it popular for web developers and organizations that need a stable platform for communication and engagement. The vulnerability in question arises from the inadequate filtering of HTTP headers, specifically the User-Agent header.<\/p>\n

This input is vulnerable to serialization injection attacks. PHP object injection generally arises when unsanitized user input is fed into PHP’s `unserialize()` function, leading attackers to craft the serialized object structure with malicious data. The execution of arbitrary PHP code by attackers is made possible by crafting the serialized object to contain injected code and executing it within PHP’s context on the target host. In the realm of Joomla\\!, this vulnerability is notably dangerous since it targets session data stored as PHP objects within the database.<\/p>\n

Additionally, affected Joomla\\! versions (1.5.0 to 3.4.5) housed a session handling flaw where an attacker could exploit serialized objects, causing them to morph into active PHP code. Consequently, these manipulated session objects allow attackers to execute remote code at the earliest possible opportunity during session handling by Joomla.<\/p>\n

Several threat actors rapidly capitalized on the CVE-2015-8562 vulnerability. Its simplicity and widespread existence across various PHP versions made it highly desirable. This critical vulnerability was so significant that it allowed attackers unfettered access through simple HTTP requests deploying payloads. The complexity is further underscored by the fact that attack execution does not hinge on user authentication\u2014a remote attacker could potentially commandeer host machines even without incurring site administrative privileges.<\/p>\n

If Joomla\\! CMS was configured with default session settings and installations kept estimated thousands of hosts exposed globally as session data for unauthenticated users is not inherently secure. This lack of a refined access control mechanism emphasizes the severity and pervasiveness of the vulnerability. Once patches became available in December 2015 (releasing Joomla\\! version 3.4.6), the Joomla\\! Security Strike Team (JSST) recommended users update their installations immediately.<\/p>\n

This measure effectively mitigated exploits by substituting faulty session handling mechanisms. Nevertheless, due to already extensive dissemination, CVE-2015-8562 remained a playground for exploitation throughout this timeline. Attack vectors often opted for targeted payload delivery methodologies, using metadata frameworks like Metasploit for attack propagation, thereby exemplifying the potential for mass exploitation previously inherent in this Joomla vulnerability.<\/p>\n

 <\/p>\n

Weakness<\/strong><\/h3>\n

Three core weaknesses converge within CVE-2015-8562:<\/p>\n