Admin password reset hack 1.5.14

[mandville]

Just to clarify
both issues listed in this topic sound like a "extension vulnerability" attack.
the answer i gave was to clear up the fact the JSST are not the Bug Squad. they are two totally different sections/teams.

A bug could become a vulnerability but my response was to clear up the confusion between the two teams.
If a Joomla core bug is confirmed then it will appear on the bug squad page and likewise for a joomla core security issue. mainly on the http://developer.joomla.org/ pages or within the security fed in you admin panel of joomla.

[alexwalker]

Would it help to know what components I have running on that site?
Acajoom
Docman
BreezingForms
SportFusion
I can see how it could be a vulnerability via a component (vulnerability bug) or through Joomla direct (core security).
Whatever, I hope it is resolved for the time being ! Thanks for the advice and suggestions.

[ooffick]

I can see how it could be a vulnerability via a component (vulnerability bug) or through Joomla direct (core security).
Whatever, I hope it is resolved for the time being ! Thanks for the advice and suggestions.

Have a look here: http://docs.joomla.org/Vulnerable_Extensions_List
The component com_sportfusion has a vulnerability.

Olaf

[alexwalker]

Olaf, I will look here before I install another component. I have uninstalled SportFusion until it is considered 'safe'.

[osexcel]

Dear All,

I have reported this to JSST today, hopefully the team will deal with this soon.

To mandville: Thanks, reported to JSST today.

To ooffick: thanks for telling me about the Mods

To DavidBoggitt: yes, we will update this if the next release of Joomla includes the core file updates. We currently can confirm that this patch can be applied to all version prior to 1.5.15 (including 1.5.15). If Joomla release a new version, e.g. 1.5.16 and the core files are changed, we will update this patch and send out news letter then.

To all: hopefully JSST can deal with this soon, and we will offer help to JSST if they need any assistance. We will keep providing the patch until JSST has released the solution for this. Let's keep our Joomla safe.

Best wishes,
Helix

[osexcel]

To ooffick: The list is fantastic! Very very helpful!

[osexcel]

Just to clarify
both issues listed in this topic sound like a "extension vulnerability" attack.
the answer i gave was to clear up the fact the JSST are not the Bug Squad. they are two totally different sections/teams.

A bug could become a vulnerability but my response was to clear up the confusion between the two teams.
If a Joomla core bug is confirmed then it will appear on the bug squad page and likewise for a joomla core security issue. mainly on the http://developer.joomla.org/ pages or within the security fed in you admin panel of joomla.

My personal view is, this is not a bug, but a vulnerabilities from either a) joomla core or b) one of the extensions that has exposed to the SQL injection, where the hacker can get the tocken out from the jos_users table.

Actually I think it should be from one of the extensions which has the vulnerabilities, because I think most of the Joomla core codes have been examined by JSST. It would be better that those who has this issues should ALSO report what extensions they install, and compare it with the vulnerability extensions in this link:

http://docs.joomla.org/Vulnerable_Extensions_List

[mandville]

It would be better that those who has this issues should ALSO report what extensions they install, and compare it with the vulnerability extensions in this link:

http://docs.joomla.org/Vulnerable_Extensions_List

The cry of the few is heard by the masses! we (the VEL list team) have been asking for this to happen for ages. We updated and work on the list and also security checklist 7 as we were fed up with C&P all the time.

The main VEL is the one people should go to, but remember HU2HY!

[osexcel]

The main VEL is the one people should go to, but remember HU2HY!

100% agree!