home   |   about us   |   our network   |   services   |   affiliates   |   contact
 
Services
» Web Hosting
» Reseller Hosting
» Dedicated Servers
» Windows/ASP.net Hosting
» Managed Web Hosting
» Server Security / Auditing
» Remote Backup / Storage
» Linux VDS
» Windows VDS
 
Support
» Support Desk
» Client Login
» Forums
» FAQs
» Help Files
» Acceptable Use Policy
» Client Testimonials
» Blog
 
Tutorials
» Dedicated Server Tutorial
» Website Optimization
» Search Engine Optimization
» Web Hosting Tutorials
» Web Programming Tutorials
» Networking Tutorials
» Virtual Server Tutorials
» Resources

The Crucial Blog

August 23, 2008

Joomla 1.5 Exploit Fix mod_security - Token Password Reset Exploit and SQL Injection

If you are running sites running , and have not recently patched your installation you will probably have found your installation has been hacked one or more times.  As a system adminsitrar you may find a number of sites on a server running 1.5 getting hacked.  To prevent this at the firewall level, and help stop your installations being hacked implement the following mod_security 1.x rule on each server:

# 1.5 null token password reset exploit - RM/BC 20 Aug 08
SecFilterSelective ARG_task “confirmreset” chain
SecFilterSelective POST_PAYLOAD “token=(’|%27)”

# 1.5 SQL injection - 20 Aug 08
# nb: need case independence, on by default in 1.x!
SecFilterSelective ARGS_VALUES “;.*declare%20.*exec”

A permanent fix/solution for each installation is as follows:

Upgrade to latest ! version (1.5.6 or newer), or patch /components/com_user/models/reset.php with the code below:

After global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
$this->setError(JText::_(’INVALID_TOKEN’));
return false;
}

Tags: , ,

Related posts


Filed under: Uncategorized by — aaron @ 9:47 pm


One Response to “Joomla 1.5 Exploit Fix mod_security - Token Password Reset Exploit and SQL Injection”

  1. This mod_security rule give you some protection against attacks. If you add a space before the ‘, you can also reset the password. I sorted out some better mod_security rules for this bug.

    -> Mod_sec Version 1.0

    SecFilterSelective ARG_task “confirmreset” chain
    SecFilterSelective POST_PAYLOAD “!token=([a-z0-9]{32})”

    -> Mod_sec Version 2.0
    SecRequestBodyAccess On
    # Joomla Security problem -> http://tinyurl.com/5aq67o
    SecRule ARGS:task “confirmreset” chain
    SecRule REQUEST_BODY “!token=([a-z0-9]{32})”

Leave a Reply



     

Quick Links: Debian Dedicated Servers, Direct Deposit Hosting, Unmetered Dedicated Servers, Virtual Dedicated Servers, Windows Server Management, High Traffic Web Hosting - Load Balanced Clusters, Windows 2008 Server Virtual Dedicated Servers