Emanuele Gentili blog

Hello folks,

New hight security issue was found in Joomla 1.5.x that allow remote admin password change.

This vulnerability affect more important website same nasa, university and istitution website, the fix isnt out (I’m writing it) but we can apply provisional fix for keep out stupid crackers.

How to check if my website is vulnerable:

The proof of concept is very simple, follow this steps:

0×01) open your browser and go to url:

http:www.target.com/index.php?option=com_user&view=reset&layout=confirm

(switch www.target.com with your website, and remember to add path if you have ex. /joomla/)

0×02) Write into text input box the char ‘ and Click OK.
(if you see this text input box you are vulnerable)

0×03) Now you are able to write in the new text input the new password for admin.

0×04) go to url http://www.target.com/administrator/ and try to login.

How to apply provisional fix:

This isnt a real fix, but with it you can keep out stupid crackers, follow this steps if you result vulnerable.

0×01) Login in admin panel and go to user management panel.

0×02) create a new SuperAdmin user and logout to admin panel.

0×03) Login in admin panel with new user, and go to user management panel.

0×04) remove all privileges to old admin (switch privilege to registred user) and disable this user.

Vulnerable code:

/components/com_user/controller.php
Line : 379-399

	function confirmreset()
	{
		// Check for request forgeries
		JRequest::checkToken() or die( 'Invalid Token' );

		// Get the input
		$token = JRequest::getVar('token', null, 'post', 'alnum');

		// Get the model
		$model = &$this->getModel('Reset');

		// Verify the token
		if ($model->confirmReset($token) === false)
		{
			$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
			$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
			return false;
		}

		$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
	}

/components/com_user/models/reset.php

Line: 111-130 	

	function confirmReset($token)
	{
		global $mainframe;

		$db	= &JFactory::getDBO();
		$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token)); 

		// Verify the token
		if (!($id = $db->loadResult()))
		{
			$this->setError(JText::_('INVALID_TOKEN'));
			return false;
		}

		// Push the token and user id into the session
		$mainframe->setUserState($this->_namespace.'token',	$token);
		$mainframe->setUserState($this->_namespace.'id',	$id);

		return true;
	}

Security Fix:
I’m working to write it, i will release it shortly.