CVE-2017-18345 – CVE-2017-18345 is an arbitrary file download vu... (How to Fix)

Q: What is the severity of CVE-2017-18345?

CVE-2017-18345 has a CVSS score of 9.8 (CRITICAL). CVE-2017-18345 is an arbitrary file download vulnerability in the Joomanager component for Joomla! that allows unauthenticated attackers to download sensitive files, including the configuration.php file containing database credentials. This affects all Joomla! installations using Joomanager component version 2.0.0 or earlier. Attackers can exploit this to steal database credentials and potentially compromise the entire Joomla! installation.

📋 TL;DR

CVE-2017-18345 is an arbitrary file download vulnerability in the Joomanager component for Joomla! that allows unauthenticated attackers to download sensitive files, including the configuration.php file containing database credentials. This affects all Joomla! installations using Joomanager component version 2.0.0 or earlier. Attackers can exploit this to steal database credentials and potentially compromise the entire Joomla! installation.

💻 Affected Systems

Products:

Joomla! with Joomanager component

Versions: Joomanager component version 2.0.0 and earlier

Operating Systems: All operating systems running Joomla!

Default Config Vulnerable: ⚠️ Yes

Notes: All Joomla! installations with the vulnerable Joomanager component are affected regardless of Joomla! version or configuration.

📦 What is this software?

Joomanager by Joomanager Project

View all CVEs affecting Joomanager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full compromise of the Joomla! installation including database takeover, website defacement, data theft, and potential server compromise if database credentials have elevated privileges.

🟠

Likely Case

Database credential theft leading to unauthorized database access, data exfiltration, and potential privilege escalation within the Joomla! application.

🟢

If Mitigated

Limited impact if database credentials are properly secured with minimal privileges and network access restrictions, though sensitive configuration files may still be exposed.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via unauthenticated HTTP requests, making internet-facing Joomla! installations with Joomanager extremely vulnerable.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but require network access; risk is lower than internet-facing systems but still significant.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only a simple HTTP GET request to the vulnerable endpoint. Multiple public exploit scripts are available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Joomanager component version after 2.0.0

Vendor Advisory: https://vel.joomla.org/vel-blog/2020-joomanager-2-0-0-other

Restart Required: No

Instructions:

1. Log into Joomla! administrator panel. 2. Navigate to Extensions > Manage > Update. 3. Update Joomanager component to latest version. 4. Alternatively, manually download and install updated component from official Joomla! extensions directory.

🔧 Temporary Workarounds

Remove Joomanager component

all

Completely uninstall the vulnerable Joomanager component if not required

Navigate to Joomla! administrator > Extensions > Manage > Manage > Select Joomanager > Uninstall

Restrict access to vulnerable endpoint

all

Use web server rules to block access to the vulnerable URL pattern

For Apache: RewriteRule ^index\.php\?option=com_joomanager.* - [F,L]
For Nginx: location ~* "index\.php\?option=com_joomanager" { return 403; }

🧯 If You Can't Patch

Immediately remove or disable the Joomanager component from all Joomla! installations
Implement strict network access controls to limit access to Joomla! administration interfaces and monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check if Joomanager component is installed and version is 2.0.0 or earlier via Joomla! administrator panel under Extensions > Manage

Check Version:

Check Joomla! administrator panel: Extensions > Manage > Search for 'joomanager'

Verify Fix Applied:

Verify Joomanager component version is updated beyond 2.0.0 and test that the vulnerable URL returns an error or is inaccessible

📡 Detection & Monitoring

Log Indicators:

HTTP GET requests containing 'index.php?option=com_joomanager&controller=details&task=download&path='
Access to configuration.php file from unexpected sources
Failed database login attempts following file access

Network Indicators:

Unusual outbound database connections from web server
Traffic patterns matching exploit payloads to vulnerable endpoint

SIEM Query:

source="web_server_logs" AND uri="*index.php?option=com_joomanager*" AND uri="*task=download*"

📊 Metadata

CVE ID: CVE-2017-18345

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-200

Published: August 26, 2018

Last Updated: November 21, 2024

🔗 References

https://cxsecurity.com/issue/WLB-2018030054 Exploit,Third Party Advisory
https://vel.joomla.org/vel-blog/2020-joomanager-2-0-0-other Mitigation,Vendor Advisory
https://www.exploit-db.com/exploits/44252 Exploit,Third Party Advisory,VDB Entry
https://cxsecurity.com/issue/WLB-2018030054 Exploit,Third Party Advisory
https://vel.joomla.org/vel-blog/2020-joomanager-2-0-0-other Mitigation,Vendor Advisory
https://www.exploit-db.com/exploits/44252 Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2017-18345, you might also want to check these: