Howto fix Joomla 1.5 hacking (token admin password reset exploit)

Posted by HostsVault | Posted in How-To's | Posted on 24-05-2009-05-2008

5

Ever found your account suddenly have been hacked with direct FTP login with no trials and errors as if the hacker knew your password if you have Joomla installed then its time to upgrade your Joomla installation, your safe if your joomla installation is 1.5.6 or higher for exploit details check here or here .

the exploit is based on SQL injection that would just bypass the token entry page bringing you to the change admin password page and voila your done changing the administrator password.

Combine this with Joomla FTP layer and the hacker will be able to grab the whole account password if the user just used it there, here are several approaches to resolve this issue :

Using Mod_security Version 2.0 :

 SecRule ARGS:task "confirmreset" chain
 SecRule REQUEST_BODY "!token=([a-z0-9]{32})"

Using Mod_security Version 1.0 :

SecFilterSelective ARG_task "confirmreset" chain
SecFilterSelective POST_PAYLOAD "!token=([a-z0-9]{32})"

Or by patching Joomla itself , edit the file components/com_user/models/reset.php
After global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
$this->setError(JText::_('INVALID_TOKEN'));
return false;
}

Now you should be safe from this exploit.

VN:F [1.9.3_1094]
Rating: 7.2/10 (20 votes cast)
VN:F [1.9.3_1094]
Rating: +1 (from 3 votes)
Howto fix Joomla 1.5 hacking (token admin password reset exploit), 7.2 out of 10 based on 20 ratings
Share and Enjoy:
  • Digg
  • Sphinn
  • del.icio.us
  • Facebook
  • Google Bookmarks
  • Furl
  • Slashdot
  • StumbleUpon
  • Technorati
Read More

Comments posted (5)

Glenn says... on 21-04-2010

Small correction ; the correct code should be :

$token = mysql_real_escape_string($token);
if(strlen($token) != 32) {
$this->setError(JText::_(‘INVALID_TOKEN’));
return false;
}

VA:F [1.9.3_1094]
Rating: 0.0/5 (0 votes cast)
VA:F [1.9.3_1094]
Rating: +1 (from 1 vote)
Glenn says... on 21-04-2010

Figure this : the token ‘——–(…) would be 32 chars long .. since — is the starter for a comment in MySQL, that is ignored. Thus strlen($token) returns 32, while it is still “seen” in the query as ‘ .

Solution :

$token = mysql_real_escape($token);
if(strlen($token) != 32) {
$this->setError(JText::_(‘INVALID_TOKEN’));
return false;
}

VA:F [1.9.3_1094]
Rating: 0.0/5 (0 votes cast)
VA:F [1.9.3_1094]
Rating: 0 (from 0 votes)
Imran says... on 21-10-2009

I had this problem, I upgraded to 1.5.6 but after 2 days it happened again. I checked reset.php your suggested code is already there. Seems its not workig or hackers have bypassed this too. ANy idea?

VA:F [1.9.3_1094]
Rating: 0.0/5 (0 votes cast)
VA:F [1.9.3_1094]
Rating: 0 (from 0 votes)
jim says... on 16-10-2009

this is addressed in the latest version of jomoola and yet they are still able to reset and hack the site

VA:F [1.9.3_1094]
Rating: 0.0/5 (0 votes cast)
VA:F [1.9.3_1094]
Rating: 0 (from 0 votes)
aj says... on 22-07-2009

wow great content…I will do this…Thanks

VA:F [1.9.3_1094]
Rating: 0.0/5 (0 votes cast)
VA:F [1.9.3_1094]
Rating: 0 (from 0 votes)

Write a comment