Advertisement
com_user reset paswword is being used to hack joomla
Moderator: General Support Moderators
Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
-
- Joomla! Apprentice
- Posts: 48
- Joined: Mon Sep 25, 2006 1:14 pm
com_user reset paswword is being used to hack joomla
I discovered that some hackers have found a way to get the email id of administrator user and then they are able to invoke com_user's reset password utility as well.
i also saw that they used SQL injection on gcalendar component during this process.
i am not sure how they got the token for password change from the email of admin.!!
is there a way to disable pasword reset in the frontend?
i also saw that they used SQL injection on gcalendar component during this process.
i am not sure how they got the token for password change from the email of admin.!!
is there a way to disable pasword reset in the frontend?
Advertisement
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: com_user reset paswword is being used to hack joomla
You should check that you have the latest version of Joomla 1.5.15, if not you should update immediately.
If this is a new problem affecting Joomla 1.5.15 then you should report it to the Joomla security team - see http://developer.joomla.org/security.html
If this is a new problem affecting Joomla 1.5.15 then you should report it to the Joomla security team - see http://developer.joomla.org/security.html
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
- mandville
- Joomla! Master
- Posts: 15155
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: com_user reset paswword is being used to hack joomla
i would suggest you check the http://docs.joomla.org/Vulnerable_Extensions_List and see if any of your extensions are listed on there
You can remove the reset command from your core files.
I would start by removing the vulnerable extensions first
You can remove the reset command from your core files.
I would start by removing the vulnerable extensions first
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
- mandville
- Joomla! Master
- Posts: 15155
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: com_user reset paswword is being used to hack joomla
PM actioned as per my signature.You have received a new private message from "krautela" to your account on
"Joomla!" with the following subject:
Re: com_user reset paswword is being used to hack joomla
You can view your new message by clicking on the following link:
http://forum.joomla.org/ucp.php?i=pm&folder=inbox
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
-
- Joomla! Apprentice
- Posts: 48
- Joined: Mon Sep 25, 2006 1:14 pm
Re: com_user reset paswword is being used to hack joomla
whats that?mandville wrote: PM actioned as per my signature.
- PhilD
- Joomla! Hero
- Posts: 2737
- Joined: Sat Oct 21, 2006 10:20 pm
- Location: Wisconsin USA
- Contact:
Re: com_user reset paswword is being used to hack joomla
This is not a "new" problem as was suggested by fcoulter and you have been hacked. The cause usually is an extension that allows sql injection. Gcalendar should be updated as well as all extensions, Joomla, and templates to the latest version or removed. Gcalendar is on the vulnerability list. If the new version of Gcalendar does not work correctly for you, (it did not for me) then I suggest you do without or find another extension that will work.
Undetected malware on your computer can also send passwords used to access your site to hackers. Check your computer.
As backdoors or other hidden code may have been installed on your site, I suggest you restore your site from a known clean backup or overwrite all Joomla files from a 1.5.15 full install package. Remove the installation directory after overwriting to enable the site again.
Also check the Security Checklist for additional information on how to secure your site:
http://docs.joomla.org/Category:Security_Checklist
Review all, specifically number 7
Undetected malware on your computer can also send passwords used to access your site to hackers. Check your computer.
As backdoors or other hidden code may have been installed on your site, I suggest you restore your site from a known clean backup or overwrite all Joomla files from a 1.5.15 full install package. Remove the installation directory after overwriting to enable the site again.
Also check the Security Checklist for additional information on how to secure your site:
http://docs.joomla.org/Category:Security_Checklist
Review all, specifically number 7
PhilD
-
- Joomla! Ace
- Posts: 1964
- Joined: Tue Jun 09, 2009 2:21 am
- Location: WV
- Contact:
Re: com_user reset paswword is being used to hack joomla
http://jeffchannell.com/Joomla/joomla-r ... urity.html
http://forum.joomla.org/viewtopic.php?f=199&t=435890
When is this going to be fixed? I've been howling about it a while now...
http://forum.joomla.org/viewtopic.php?f=199&t=435890
When is this going to be fixed? I've been howling about it a while now...
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι
- mandville
- Joomla! Master
- Posts: 15155
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: com_user reset paswword is being used to hack joomla
so just to be clear, does this start with a vulnerable extension or the poor reset.
if its a vulnerable extension then the strike team cant action, its down to "sloppy" developers
http://docs.joomla.org/Vulnerable_Extensions_List
if its a vulnerable extension then the strike team cant action, its down to "sloppy" developers
http://docs.joomla.org/Vulnerable_Extensions_List
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
-
- Joomla! Ace
- Posts: 1964
- Joined: Tue Jun 09, 2009 2:21 am
- Location: WV
- Contact:
Re: com_user reset paswword is being used to hack joomla
mandville - when I finish with this contract I'm working on, I'm seriously considering just submitting a patch myself to address this as a holiday gift to the Joomla community. Sloppy programming or not, if there's something that can be done in core to mitigate this then I say go for it.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι
-
- Joomla! Apprentice
- Posts: 48
- Joined: Mon Sep 25, 2006 1:14 pm
Re: com_user reset paswword is being used to hack joomla
i think there is issue with reset as well. In my site I have not put any frontend login option ... ( no module for that). Now person who know joomla extension can easily trigger frontend login as well.mandville wrote:so just to be clear, does this start with a vulnerable extension or the poor reset.
if its a vulnerable extension then the strike team cant action, its down to "sloppy" developers
http://docs.joomla.org/Vulnerable_Extensions_List
this is where it was a shock to me that from frontend one was able to do this.
-
- Joomla! Ace
- Posts: 1964
- Joined: Tue Jun 09, 2009 2:21 am
- Location: WV
- Contact:
Re: com_user reset paswword is being used to hack joomla
krautela: there are options to disable new user registration within the global site management
That said, an option to disable com_user altogether on the frontend is an interesting idea. I smell a plugin...
That said, an option to disable com_user altogether on the frontend is an interesting idea. I smell a plugin...
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: com_user reset paswword is being used to hack joomla
Since it is the reset password function that causes the problem I have been thinking that it would be useful to be able to disable that for selected users.
I have written a simple plugin that does this, you can download it from my site at
http://www.spiralscripts.co.uk/Joomla-P ... k.tpl.html
I agree with jeffchannell's concerns - the fact is that sql injection is a common vulnerability in extensions, it ought not to be, but in all likelihood it will carry on being a problem. So it does make sense to make this particular exploit more difficult.
I have written a simple plugin that does this, you can download it from my site at
http://www.spiralscripts.co.uk/Joomla-P ... k.tpl.html
I agree with jeffchannell's concerns - the fact is that sql injection is a common vulnerability in extensions, it ought not to be, but in all likelihood it will carry on being a problem. So it does make sense to make this particular exploit more difficult.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
- mandville
- Joomla! Master
- Posts: 15155
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: com_user reset paswword is being used to hack joomla
thanks for that, is there any way that we can d/l it without signing up to the cart? or drop a little copy for JeffC and myself.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
- fcoulter
- Joomla! Ace
- Posts: 1685
- Joined: Thu Sep 13, 2007 11:39 am
- Location: UK
- Contact:
Re: com_user reset paswword is being used to hack joomla
I have changed it so there is a direct download link.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"
- mandville
- Joomla! Master
- Posts: 15155
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: com_user reset paswword is being used to hack joomla
thanks, much appreciated
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
-
- Joomla! Ace
- Posts: 1964
- Joined: Tue Jun 09, 2009 2:21 am
- Location: WV
- Contact:
Re: com_user reset paswword is being used to hack joomla
Update for those following: ian_mac passed this on to the devs and we may see an update for this soon.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι
- mandville
- Joomla! Master
- Posts: 15155
- Joined: Mon Mar 20, 2006 1:56 am
- Location: The Girly Side of Joomla in Sussex
Re: com_user reset paswword is being used to hack joomla
also loaded into JSST forum for reference discussion
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.puttersminigolf.co.uk/
Advertisement