CVE-2018-14592
📋 TL;DR
This SQL injection vulnerability in CW Article Attachments extensions for Joomla allows attackers to execute arbitrary SQL commands via download.php. It affects Joomla sites using vulnerable versions of CW Article Attachments PRO or FREE extensions, potentially compromising database integrity and exposing sensitive information.
💻 Affected Systems
- CW Article Attachments PRO
- CW Article Attachments FREE
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise leading to data theft, privilege escalation, and potential remote code execution through database functions.
Likely Case
Unauthorized data extraction from the Joomla database including user credentials, sensitive content, and configuration data.
If Mitigated
Limited impact with proper input validation and database permission restrictions in place.
🎯 Exploit Status
Exploit code is publicly available and requires no authentication.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: PRO: 2.0.7+, FREE: 1.0.6+
Vendor Advisory: http://www.cwjoomla.com/download-cw-article-attachments
Restart Required: No
Instructions:
1. Log into Joomla admin panel. 2. Navigate to Extensions > Manage > Update. 3. Update CW Article Attachments extension to latest version. 4. Alternatively, download from vendor site and install manually.
🔧 Temporary Workarounds
Disable download.php
linuxTemporarily disable the vulnerable file to prevent exploitation
mv components/com_cwarticleattachments/download.php components/com_cwarticleattachments/download.php.disabled
Web Application Firewall Rule
allBlock SQL injection patterns targeting download.php
ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt on download.php'"
🧯 If You Can't Patch
- Implement strict input validation for all parameters passed to download.php
- Restrict database user permissions to SELECT only for the affected extension
🔍 How to Verify
Check if Vulnerable:
Check Joomla extensions manager for CW Article Attachments version. PRO versions <2.0.7 or FREE versions <1.0.6 are vulnerable.Check Version:
Check Joomla admin panel: Extensions > Manage > ManageVerify Fix Applied:
Confirm extension version is PRO 2.0.7+ or FREE 1.0.6+ in Joomla admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple requests to download.php with SQL-like parameters
- Error logs showing SQL syntax errors
Network Indicators:
- HTTP requests to download.php containing SQL keywords (UNION, SELECT, etc.)
- Abnormal parameter patterns in download.php requests
SIEM Query:
source="web_logs" AND uri="*download.php*" AND (param="*UNION*" OR param="*SELECT*" OR param="*FROM*" OR param="*WHERE*")