CVE-2018-17384 – This CVE describes a SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2018-17384?

CVE-2018-17384 has a CVSS score of 9.8 (CRITICAL). This CVE describes a SQL injection vulnerability in the Swap Factory 2.2.1 component for Joomla! CMS. Attackers can exploit the filter_order_Dir or filter_order parameters to execute arbitrary SQL commands on the database. All Joomla! installations using the vulnerable Swap Factory component are affected.

📋 TL;DR

This CVE describes a SQL injection vulnerability in the Swap Factory 2.2.1 component for Joomla! CMS. Attackers can exploit the filter_order_Dir or filter_order parameters to execute arbitrary SQL commands on the database. All Joomla! installations using the vulnerable Swap Factory component are affected.

💻 Affected Systems

Products:

Joomla! Swap Factory Component

Versions: 2.2.1

Operating Systems: All platforms running Joomla!

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects Joomla! installations with the Swap Factory component installed. The vulnerability is in the component itself, not core Joomla!.

📦 What is this software?

Swap Factory by Thephpfactory

View all CVEs affecting Swap Factory →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise allowing data theft, modification, or deletion; potential privilege escalation to administrative access; possible remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access and extraction from the Joomla! database, including user credentials, sensitive content, and configuration data.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection execution.

🌐 Internet-Facing: HIGH - The vulnerability is exploitable via web requests and public proof-of-concept code exists.

🏢 Internal Only: MEDIUM - Still exploitable by authenticated users or attackers who gain internal network access.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public exploit scripts are available, making this easily exploitable by attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to latest Swap Factory version or remove component

Vendor Advisory: https://www.joomla.org/announcements/release-news/

Restart Required: No

Instructions:

1. Log into Joomla! admin panel. 2. Navigate to Extensions > Manage. 3. Search for Swap Factory. 4. Update to latest version or uninstall if not needed. 5. Verify component is removed or updated.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement input validation for filter_order_Dir and filter_order parameters to only accept expected values

Modify component PHP files to validate/sanitize these parameters

WAF Rule

all

Deploy web application firewall rules to block SQL injection attempts targeting these parameters

Add WAF rule: Detect SQL patterns in filter_order_Dir and filter_order parameters

🧯 If You Can't Patch

Remove or disable the Swap Factory component entirely from Joomla! installation
Implement network-level restrictions to limit access to affected Joomla! instances

🔍 How to Verify

Check if Vulnerable:

Check Joomla! extensions list for Swap Factory version 2.2.1 via admin panel or examine /components/com_swapfactory/ directory

Check Version:

Check Joomla! Extensions Manager or examine component manifest.xml file

Verify Fix Applied:

Confirm Swap Factory component is either removed or updated to version >2.2.1, then test parameter injection attempts fail

📡 Detection & Monitoring

Log Indicators:

SQL error messages in Joomla! logs
Unusual database queries containing filter_order_Dir or filter_order parameters
Multiple failed login attempts following SQL errors

Network Indicators:

HTTP requests with SQL injection payloads in filter_order_Dir or filter_order parameters
Unusual database connection patterns from web server

SIEM Query:

source="joomla_logs" AND ("filter_order_Dir" OR "filter_order") AND (sql OR union OR select)

📊 Metadata

CVE ID: CVE-2018-17384

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: September 28, 2018

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/149529/Joomla-Swap-Factory-2.2.1-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/45473/ Exploit,Third Party Advisory,VDB Entry
http://packetstormsecurity.com/files/149529/Joomla-Swap-Factory-2.2.1-SQL-Injection.html Exploit,Third Party Advisory,VDB Entry
https://www.exploit-db.com/exploits/45473/ Exploit,Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-17384, you might also want to check these: