Joomla 1.5 Exploit Fix mod_security - Token Password Reset Exploit and SQL Injection

If you are running sites running Joomla, and have not recently patched your installation you will probably have found your installation has been hacked one or more times.  As a system adminsitrar you may find a number of sites on a server running Joomla 1.5 getting hacked.  To prevent this at the firewall level, and help stop your Joomla installations being hacked implement the following mod_security 1.x rule on each server:

# Joomla 1.5 null token password reset exploit - RM/BC 20 Aug 08
SecFilterSelective ARG_task “confirmreset” chain
SecFilterSelective POST_PAYLOAD “token=(’|%27)”

# Joomla 1.5 SQL injection - 20 Aug 08
# nb: need case independence, on by default in 1.x!
SecFilterSelective ARGS_VALUES “;.*declare%20.*exec”

A permanent fix/solution for each Joomla installation is as follows:

Upgrade to latest Joomla! version (1.5.6 or newer), or patch /components/com_user/models/reset.php with the code below:

After global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
$this->setError(JText::_(’INVALID_TOKEN’));
return false;
}

Related posts

• Installing and Configuring OpenVPN on a Xen VPS or Dedicated Server (0)
• 404 Error when to accessing /wp-admin/admin-ajax.php (0)
• yum errror: error: install: %pre scriptlet failed (2), skipping … (0)
• Xen: How to check if Intel VT is enabled? (0)
• Xen: Dom0 and DomU can ping, but no other network connectivity - checksum problems (3)

Filed under: Uncategorized by — aaron @ 9:47 pm