Databases
StackOverflow2013
Postsdbo
POHow does this Joomla password reset exploit work?
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POHow does this Joomla password reset exploit work?
    primarykey
    data
    text
    <p>One of our Joomla sites got hacked and the attacker replaced my template's index.php with his ugly page - "Hacked" heading and some arabic lines in red. Apparently, the attacker some how reset the password(and email address too) of first user in the users table, which was the super user, and gained access to administration panel.</p> <p>After doing a quick recovery, I searched net to prevent future hacking attempt and found this article: <a href="http://developer.joomla.org/security/news/35-core-security/241-20080801-core-password-remind-functionality.html" rel="nofollow">Security News-[20080801] - Core - Password Remind Functionality</a></p> <p>I put the code from that article to patch my reset.php</p> <p>But I am still having doubts. The article doesn't say anything about how the exploit really work. But I read some where in the internet that this is an SQL injection vulnerability in reset.php</p> <p>The line executing SQL to check the token:</p> <pre><code>$db-&gt;setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db-&gt;Quote($token)); </code></pre> <p>is using the JDatabase::Quote() method. Then how does some SQL injection become possible. Isn't <strong>Quote</strong> supposed to prevent an SQLi? Joomla version of attacked site is 1.5.18.</p> <p>Another doubt is in the patch checking only to verify string length of 32. How could it prevent the exploit.</p> <p>I'm wondering if an SQLi can really pass Quote method then wouldn't a string length of 32 be more than enough to bypass that WHERE clause?</p> <pre><code> if(strlen($token) != 32) { $this-&gt;setError(JText::_('INVALID_TOKEN')); return false; } </code></pre>
    singulars
    1. PO
      singulars
      1. PTAnswer
    1. This table or related slice is empty.
    1. PTQuestion
    1. USCharles
    1. USrineez
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. PO
      singulars
      1. PTAnswer
    1. VO
      singulars
      1. POHow does this Joomla password reset exploit work?
      1. This table or related slice is empty.
      1. VTUpMod
    2. VO
      singulars
      1. POHow does this Joomla password reset exploit work?
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. POHow does this Joomla password reset exploit work?
      1. This table or related slice is empty.
      1. VTUpMod
    1. COOn a related note, you really should update to 1.5.23. Being 5 security releases behind is kind of a bad idea as you have learned the hard way.
      singulars
      1. POHow does this Joomla password reset exploit work?
      1. USBrent Friar
    2. COright, I will be doing that soon.
      singulars
      1. POHow does this Joomla password reset exploit work?
      1. USrineez
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload