Admin password reset hack 1.5.14
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Admin password reset hack 1.5.14
Just to clarify
both issues listed in this topic sound like a "extension vulnerability" attack.
the answer i gave was to clear up the fact the JSST are not the Bug Squad. they are two totally different sections/teams.
A bug could become a vulnerability but my response was to clear up the confusion between the two teams.
If a Joomla core bug is confirmed then it will appear on the bug squad page and likewise for a joomla core security issue. mainly on the http://developer.joomla.org/ pages or within the security fed in you admin panel of joomla.
both issues listed in this topic sound like a "extension vulnerability" attack.
the answer i gave was to clear up the fact the JSST are not the Bug Squad. they are two totally different sections/teams.
A bug could become a vulnerability but my response was to clear up the confusion between the two teams.
If a Joomla core bug is confirmed then it will appear on the bug squad page and likewise for a joomla core security issue. mainly on the http://developer.joomla.org/ pages or within the security fed in you admin panel of joomla.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
- alexwalker
- Joomla! Enthusiast
- Posts: 183
- Joined: Thu Sep 15, 2005 3:54 pm
- Location: Lancaster, UK (near the Lake District)
- Contact:
Re: Admin password reset hack 1.5.14
Would it help to know what components I have running on that site?
Acajoom
Docman
BreezingForms
SportFusion
I can see how it could be a vulnerability via a component (vulnerability bug) or through Joomla direct (core security).
Whatever, I hope it is resolved for the time being ! Thanks for the advice and suggestions.
Acajoom
Docman
BreezingForms
SportFusion
I can see how it could be a vulnerability via a component (vulnerability bug) or through Joomla direct (core security).
Whatever, I hope it is resolved for the time being ! Thanks for the advice and suggestions.
Alex Walker
"to assume is to make an ass of u and me"
"to assume is to make an ass of u and me"
- ooffick
- Joomla! Master
- Posts: 11616
- Joined: Thu Jul 17, 2008 3:10 pm
- Location: Ireland
- Contact:
Re: Admin password reset hack 1.5.14
Have a look here: http://docs.joomla.org/Vulnerable_Extensions_Listalexwalker wrote:I can see how it could be a vulnerability via a component (vulnerability bug) or through Joomla direct (core security).
Whatever, I hope it is resolved for the time being ! Thanks for the advice and suggestions.
The component com_sportfusion has a vulnerability.
Olaf
Olaf Offick - Global Moderator
learnskills.org
learnskills.org
- alexwalker
- Joomla! Enthusiast
- Posts: 183
- Joined: Thu Sep 15, 2005 3:54 pm
- Location: Lancaster, UK (near the Lake District)
- Contact:
Re: Admin password reset hack 1.5.14
Olaf, I will look here before I install another component. I have uninstalled SportFusion until it is considered 'safe'.
Alex Walker
"to assume is to make an ass of u and me"
"to assume is to make an ass of u and me"
-
- Joomla! Apprentice
- Posts: 24
- Joined: Wed Jul 22, 2009 7:51 am
Re: Admin password reset hack 1.5.14
Dear All,
I have reported this to JSST today, hopefully the team will deal with this soon.
To mandville: Thanks, reported to JSST today.
To ooffick: thanks for telling me about the Mods
To DavidBoggitt: yes, we will update this if the next release of Joomla includes the core file updates. We currently can confirm that this patch can be applied to all version prior to 1.5.15 (including 1.5.15). If Joomla release a new version, e.g. 1.5.16 and the core files are changed, we will update this patch and send out news letter then.
To all: hopefully JSST can deal with this soon, and we will offer help to JSST if they need any assistance. We will keep providing the patch until JSST has released the solution for this. Let's keep our Joomla safe.
Best wishes,
Helix
I have reported this to JSST today, hopefully the team will deal with this soon.
To mandville: Thanks, reported to JSST today.
To ooffick: thanks for telling me about the Mods
To DavidBoggitt: yes, we will update this if the next release of Joomla includes the core file updates. We currently can confirm that this patch can be applied to all version prior to 1.5.15 (including 1.5.15). If Joomla release a new version, e.g. 1.5.16 and the core files are changed, we will update this patch and send out news letter then.
To all: hopefully JSST can deal with this soon, and we will offer help to JSST if they need any assistance. We will keep providing the patch until JSST has released the solution for this. Let's keep our Joomla safe.
Best wishes,
Helix
-
- Joomla! Apprentice
- Posts: 24
- Joined: Wed Jul 22, 2009 7:51 am
Re: Admin password reset hack 1.5.14
To ooffick: The list is fantastic! Very very helpful!
-
- Joomla! Apprentice
- Posts: 24
- Joined: Wed Jul 22, 2009 7:51 am
Re: Admin password reset hack 1.5.14
My personal view is, this is not a bug, but a vulnerabilities from either a) joomla core or b) one of the extensions that has exposed to the SQL injection, where the hacker can get the tocken out from the jos_users table.mandville wrote:Just to clarify
both issues listed in this topic sound like a "extension vulnerability" attack.
the answer i gave was to clear up the fact the JSST are not the Bug Squad. they are two totally different sections/teams.
A bug could become a vulnerability but my response was to clear up the confusion between the two teams.
If a Joomla core bug is confirmed then it will appear on the bug squad page and likewise for a joomla core security issue. mainly on the http://developer.joomla.org/ pages or within the security fed in you admin panel of joomla.
Actually I think it should be from one of the extensions which has the vulnerabilities, because I think most of the Joomla core codes have been examined by JSST. It would be better that those who has this issues should ALSO report what extensions they install, and compare it with the vulnerability extensions in this link:
http://docs.joomla.org/Vulnerable_Extensions_List
- mandville
- Joomla! Master
- Posts: 15152
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: Admin password reset hack 1.5.14
The cry of the few is heard by the masses! we (the VEL list team) have been asking for this to happen for ages. We updated and work on the list and also security checklist 7 as we were fed up with C&P all the time.osexcel wrote:It would be better that those who has this issues should ALSO report what extensions they install, and compare it with the vulnerability extensions in this link:
http://docs.joomla.org/Vulnerable_Extensions_List
The main VEL is the one people should go to, but remember HU2HY!
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
{VEL Team Leader}{TM Auditor }{ Showcase & Security forums Moderator}
-
- Joomla! Apprentice
- Posts: 24
- Joined: Wed Jul 22, 2009 7:51 am
Re: Admin password reset hack 1.5.14
100% agree!mandville wrote:osexcel wrote: The main VEL is the one people should go to, but remember HU2HY!