[Bad Karma[CORE]]

There is a Joomla Exploit around that you should be aware of. It works on any Joomla 1.5.x version.

It allows you to change the admin password without much effort, so you should secure the admin account by either downgrading it usergroup-wise or renaming it to something random with phpmyadmin.

here is one of two pieces of code that make this exploit possible

PHP Code:

Line : 379-399
 
    function confirmreset()
    {
        // Check for request forgeries
        JRequest::checkToken() or die( 'Invalid Token' );

        // Get the input
        $token = JRequest::getVar('token', null, 'post', 'alnum');              < --- {1} 
                  
        // Get the model
        $model = &$this->getModel('Reset');

        // Verify the token
        if ($model->confirmReset($token) === false)   < --- {2}
        {
            $message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
            $this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
            return false;
        }

        $this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
    } 


[dalp]

Thanks for the tip.
Joomla have released 1.5.6 as a security release. Do you know if this addresses this exploit?

[Bad Karma[CORE]]

i don´t think it´s been addressed in 1.5.6. You wouldn´t have a Joomla installation of 1.5.6 at hand for me to test, would you ?

[dalp]

Easily arranged!. Will pm you the details

[Bad Karma[CORE]]

Fixed in 1.5.6 apparently, so everyone should consider upgrading to the latest release.
Latest version i could make the exploit work on was 1.5.5, so anyone running a version prior to 1.5.5 please upgrade.

Here is the exploit announcement from Joomla.org:
http://developer.joomla.org/security...tionality.html

[dalp]

Thanks for your efforts Bad Karma