Joomla 1.5 Exploit Fix mod_security – Token Password Reset Exploit and SQL Injection

If you are running sites running Joomla, and have not recently patched your installation you will probably have found your installation has been hacked one or more times.  As a system adminsitrar you may find a number of sites on a server running Joomla 1.5 getting hacked.  To prevent this at the firewall level, and help stop your Joomla installations being hacked implement the following mod_security 1.x rule on each server:

# Joomla 1.5 null token password reset exploit – RM/BC 20 Aug 08
SecFilterSelective ARG_task “confirmreset” chain
SecFilterSelective POST_PAYLOAD “token=(‘|%27)”

# Joomla 1.5 SQL injection – 20 Aug 08
# nb: need case independence, on by default in 1.x!
SecFilterSelective ARGS_VALUES “;.*declare%20.*exec”

A permanent fix/solution for each Joomla installation is as follows:

Upgrade to latest Joomla! version (1.5.6 or newer), or patch /components/com_user/models/reset.php with the code below:

After global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
$this->setError(JText::_(‘INVALID_TOKEN’));
return false;
}

Filed under: Uncategorized by — aaron @ 9:47 pm