Joomla is a popular content management system that accounts for almost 3% of all websites on the internet, and it has been downloaded over 84 million times. A static analysis organization called Rips Technologies recently found it to be vulnerable to an LDAP injection vulnerability. This vulnerability was in the Joomla code for over eight years, and the company recently released a patch to remediate the blind LDAP injection.
This type of attack takes place using the login pages of sites that use LDAP for authentication, and it can infiltrate data or applications by abusing entries inserted into the software in an attempt to extract, view or change the data.
An LDAP injection attack, especially a blind one, like what is used in this method, aims to abuse the authentication process of passing credentials to controllers, as an LDAP server stores the username and password of the users in a database. With this particular vulnerability, there's a complete lack of sanitation, enabling an attacker's script to rotate attempts through the login field and slowly extract the credentials of a user -- this is the blind part of the injection, and it is usually aimed at an administrator account to get complete access to the Joomla control panel.
With this vulnerability, an attacker can submit an LDAP injection of query syntax into the login form in an attempt to slowly gain access to the LDAP database one bit request at a time. When the scripted attack runs, it's able to quickly submit multiple login attempts, and it can eventually work through all the possible characters in the credentials until it completes the password. Since this is scripted and aimed at the system's login form, it's able to make quick work of Joomla systems that use LDAP for authentication.
It's probably safe to say that not many Joomla servers use LDAP for authentication, but it's most likely being used somewhere. LDAP is used quite frequently for authentication.
The first thing you should do is review if your site is vulnerable. Anyone running Joomla versions 1.5 through 3.7.5 is vulnerable if they're using LDAP authentication on their unpatched site. However, there was a patch released that specifically addresses this issue, and it can be installed to mitigate this vulnerability.
Using these plug-ins for authentication naturally brings up the topic of using multifactor authentication. Your authentication architecture should no longer rely on systems using single-factor authentication for applications, especially public-facing applications. This process will limit the risk of vulnerabilities or data leaks that can expose data credentials to attackers.
My article at: http://searchsecurity.techtarget.com/answer/LDAP-injection-How-can-it-be-exploited-in-an-attack
AWS Training in Bangalore - Live Online & Classroom
ReplyDeletemyTectra Amazon Web Services (AWS) certification training helps you to gain real time hands on experience on AWS. myTectra offers AWS training in Bangalore using classroom and AWS Online Training globally. AWS Training at myTectra delivered by the experienced professional who has atleast 4 years of relavent AWS experince and overall 8-15 years of IT experience. myTectra Offers AWS Training since 2013 and retained the positions of Top AWS Training Company in Bangalore and India.
IOT Training in Bangalore - Live Online & Classroom
IOT Training course observes iot as the platform for networking of different devices on the internet and their inter related communication. Reading data through the sensors and processing it with applications sitting in the cloud and thereafter passing the processed data to generate different kind of output is the motive of the complete curricula. Students are made to understand the type of input devices and communications among the devices in a wireless media.
The http://rbxgenerator.com/ is an amazing site for the roblox robux game to be played online and it has the robux generator too. As the free robux generator is used to get free robux for the roblox free robux game to paly free.
ReplyDeleteNice post..
ReplyDeleteaws course in BTM
aws training center in BTM
cloud computing courses in BTM
amazon web services training institutes in BTM
best cloud computing institute in BTM
cloud computing training in btm
aws training in btm
aws certification in btm
best aws training in btm
aws certification training in btm
Keep on sharing this blog
ReplyDeleteaws course in Bangalore
aws training center in Bangalore
cloud computing courses in Bangalore
amazon web services training institutes in Bangalore
best cloud computing institute in Bangalore
cloud computing training in Bangalore
aws training in Bangalore
aws certification in Bangalore
best aws training in Bangalore
aws certification training in Bangalore
Information provided by you is very helpful and informative. Keep On updating such information.
ReplyDeletesobha dream gardens bellahalli
its very amazing blog
ReplyDeletejava training in Bangalore
spring training in Bangalore
java training institute in Bangalore
spring and hibernate training in Bangalore
Thank you for sharing the useful blog.
ReplyDeletebest training institute for hadoop in Marathahalli
best big data hadoop training in Marathahalli
hadoop training in Marathahalli
hadoop training institutes in Marathahalli
hadoop course in Marathahalli