Token Password Reset Exploit in joomla and sql injection
Joomla - Token Password Reset Exploit and SQL Injection
One of our client purchase linux dedicated server and running sites using Joomla, and have found to be hacked one or more times.
Upon investigation, this is due to the installation patched was not found on Joomla installation.
To prevent this at the firewall level, and help to stop Joomla installations being hacked, one need to implement the following mod_security rule on his dedicated server:
# Joomla null token password reset exploit
SecFilterSelective ARG_task “confirmreset” chain
SecFilterSelective POST_PAYLOAD “token=(’|%27)”
SecFilterSelective ARGS_VALUES “;.*declare%20.*exec”
A permanent fix/solution for each Joomla installation is as follows:
Upgrade to latest Joomla! version or patch /components/com_user/models/reset.php with the code below:
After global $mainframe; on line 113 of reset.php, add:
if(strlen($token) != 32) {
$this->setError(JText::_(’INVALID_TOKEN’));
return false;
}
Some Suggestions
Joomla Password Reset Exploit Work. does it ?
One of our Joomla sites got hacked and the attacker replaced my template's index.php with his ugly page - "Hacked" heading and some arabic lines in red. Apparently, the attacker some how reset the password(and email address too) of first user in the users table, which was the super user, and gained access to administration panel. After doing a quick recovery, I searched net to prevent future hacking attempt and found this article: Security News-[20080801] - Core - Password Remind Functionality
One of our client purchase linux dedicated server and running sites using Joomla, and have found to be hacked one or more times.
Upon investigation, this is due to the installation patched was not found on Joomla installation.
To prevent this at the firewall level, and help to stop Joomla installations being hacked, one need to implement the following mod_security rule on his dedicated server:
# Joomla null token password reset exploit
SecFilterSelective ARG_task “confirmreset” chain
SecFilterSelective POST_PAYLOAD “token=(’|%27)”
SecFilterSelective ARGS_VALUES “;.*declare%20.*exec”
A permanent fix/solution for each Joomla installation is as follows:
Upgrade to latest Joomla! version or patch /components/com_user/models/reset.php with the code below:
After global $mainframe; on line 113 of reset.php, add:
if(strlen($token) != 32) {
$this->setError(JText::_(’INVALID_TOKEN’));
return false;
}
Some Suggestions