The Crucial Blog
Joomla 1.5 Exploit Fix mod_security – Token Password Reset Exploit and SQL Injection
If you are running sites running Joomla, and have not recently patched your installation you will probably have found your installation has been hacked one or more times. As a system adminsitrar you may find a number of sites on a server running Joomla 1.5 getting hacked. To prevent this at the firewall level, and help stop your Joomla installations being hacked implement the following mod_security 1.x rule on each server:
# Joomla 1.5 null token password reset exploit – RM/BC 20 Aug 08
SecFilterSelective ARG_task “confirmreset” chain
SecFilterSelective POST_PAYLOAD “token=(‘|%27)”# Joomla 1.5 SQL injection – 20 Aug 08
# nb: need case independence, on by default in 1.x!
SecFilterSelective ARGS_VALUES “;.*declare%20.*exec”
A permanent fix/solution for each Joomla installation is as follows:
Upgrade to latest Joomla! version (1.5.6 or newer), or patch /components/com_user/models/reset.php with the code below:
After global $mainframe; on line 113 of reset.php, add:
Tags: joomla, security, server-administrationif(strlen($token) != 32) {
$this->setError(JText::_(‘INVALID_TOKEN’));
return false;
}
Filed under: Uncategorized by — aaron @ 9:47 pm
This mod_security rule give you some protection against attacks. If you add a space before the ‘, you can also reset the password. I sorted out some better mod_security rules for this bug.
-> Mod_sec Version 1.0
SecFilterSelective ARG_task “confirmreset” chain
SecFilterSelective POST_PAYLOAD “!token=([a-z0-9]{32})”
-> Mod_sec Version 2.0
SecRequestBodyAccess On
# Joomla Security problem -> http://tinyurl.com/5aq67o
SecRule ARGS:task “confirmreset” chain
SecRule REQUEST_BODY “!token=([a-z0-9]{32})”