February 17, 2009

Admin Password Hack Vulnerability in Joomla 1.5

Joomla 1.5I’m only posting this because the impossible happened to me today. Running Joomla 1.5 I ran into one of these so called Hackers. (nice try)

Well trying to destroy info and uninstalling of components, I managed to switch the account to suspended.  Buying me enough time to fix this leak. Now not only is this a critical fix released last year by the joomla.org team but a very good lesson learnt too. Learn to back up your websites, db and lookout for critical updates for your Joomla version. (Or even update it)

A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, the only way to completely rectify the issue is to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file).

We all know this fix has being repaired in the latest version 1.5.9. But be sure to check your version.(I made that mistake.)
It’s a critical security patch and part of 1.5.6. (read more)

Written by: admin

Filed Under: Joomla

Tags:

Trackback URL: http://www.website-ideas.co.uk/2009/02/17/admin-password-hack-vulnerability-in-joomla-15/trackback/

Comments

  • S-Axxis

    February 20, 2009 at 1:58 pm

    These are very good & beneficial information about joomla 1.5.we too work on Joomla.

  • Joomla Development

    February 20, 2009 at 2:00 pm

    Great article keep coming with more information in future

  • Kevin

    February 26, 2009 at 10:12 pm

    Hi there,

    would you be able to explain me what these hackers did to get into your website. It is not my intention to go into hacking myself, but my some of my customers are running Joomla! 1.5.x and i do not want to bother them with fixes they already have. Beside that, i am studying IT and would like to learn more of hacking.

  • Ethan

    May 14, 2009 at 4:49 pm

    Wow, you’re lucky. I’ve never really liked Joomla! myself, but good luck with your future security! :-)

  • kun

    March 5, 2010 at 7:55 pm

    now i’m no longer feel anxious after starting to use Drupal

Leave a reply

* means field is required.

*

*