^{CVE-2020-35614:}User enumeration vulnerability in Joomla! backend login page

Overview

This vulnerability (CVE-2020-35614) affects Joomla! content management system versions 3.9.0 through 3.9.22. The issue exists in the backend administrator login page where the application processes login attempts. When a login attempt is made, the system provides different responses depending on whether the username exists or not, regardless of password correctness. This difference in behavior allows attackers to systematically test usernames and determine which ones are valid in the system. User enumeration attacks are often precursors to more targeted brute force attacks, as they allow attackers to focus password guessing attempts on known valid accounts.

Remediation

To address this vulnerability, administrators should:

1. Update Joomla! to version 3.9.23 or later, which contains the security patch for this issue
2. If immediate updating is not possible, consider implementing additional security measures:
   • Use a Web Application Firewall (WAF) to detect and block username enumeration attempts
   • Implement IP-based rate limiting for login attempts
   • Enable two-factor authentication for administrator accounts
   • Consider using a security plugin that can hide the administrator login page or change its URL

References

1. Joomla! Security Centre Advisory: https://developer.joomla.org/security-centre/832-20201105-core-user-enumeration-in-backend-login.html
2. Joomla! 3.9.23 Release Notes (containing the fix): https://www.joomla.org/announcements/release-news/5835-joomla-3-9-23-release.html
3. MITRE CVE Entry: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-35614
4. OWASP Information on User Enumeration Attacks: https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/03-Identity_Management_Testing/04-Testing_for_Account_Enumeration_and_Guessable_User_Account