Title: Joomla! session id not hashed Author: Blazej Adamczyk (br0x) Date: 2015-06-30 Download site: https://github.com/joomla/joomla-cms/releases/download/3.6.2/Joomla_3.6.2-Stable-Full_Package.zip Version: 3.6.2 and below Vendor: https://www.joomla.org/ Vendor Notified: 2016-09-20 Vendor Contact: https://www.joomla.org/ CVSS: 6.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H) Description: The session_ids for all joomla users are stored in plaintext in the “prefix_session” table. This allows the attacker to exploit an SQLi to retrieve the session id and access Joomla! backend with user (victim) privileges. The session_id cookie value should not be stored in the database. A cryptographic hash function should be used instead and the real cookie should be known only to the user. On each request Joomla should compare the hash of the cookie with the value stored in db. This is a well known vector for gaining code execution having only an SQL injection vulnerability in Joomla! sites. For example, some MSF modules use it to gain code execution (e.g. joomla_contenthistory_sqli_rce). The aim of this diclosure is to attract the attention of Joomla! community/developers and start a dicussion for a proper fix.