com_user reset paswword is being used to hack joomla

krautela · Post by **krautela** » Sat Nov 28, 2009 9:34 am

I discovered that some hackers have found a way to get the email id of administrator user and then they are able to invoke com_user's reset password utility as well.

i also saw that they used SQL injection on gcalendar component during this process.

i am not sure how they got the token for password change from the email of admin.!!

is there a way to disable pasword reset in the frontend?

fcoulter · Post by **fcoulter** » Sat Nov 28, 2009 2:19 pm

You should check that you have the latest version of Joomla 1.5.15, if not you should update immediately.

If this is a new problem affecting Joomla 1.5.15 then you should report it to the Joomla security team - see http://developer.joomla.org/security.html

Post by **mandville** » Sat Nov 28, 2009 2:45 pm

i would suggest you check the http://docs.joomla.org/Vulnerable_Extensions_List and see if any of your extensions are listed on there

You can remove the reset command from your core files.
I would start by removing the vulnerable extensions first

Post by **mandville** » Sun Nov 29, 2009 12:54 am

You have received a new private message from "krautela" to your account on
"Joomla!" with the following subject:
Re: com_user reset paswword is being used to hack joomla
You can view your new message by clicking on the following link:
http://forum.joomla.org/ucp.php?i=pm&folder=inbox

PM actioned as per my signature.

krautela · Post by **krautela** » Sun Nov 29, 2009 4:59 am

mandville wrote: PM actioned as per my signature.

whats that?

PhilD · Post by **PhilD** » Sun Nov 29, 2009 4:59 pm

This is not a "new" problem as was suggested by fcoulter and you have been hacked. The cause usually is an extension that allows sql injection. Gcalendar should be updated as well as all extensions, Joomla, and templates to the latest version or removed. Gcalendar is on the vulnerability list. If the new version of Gcalendar does not work correctly for you, (it did not for me) then I suggest you do without or find another extension that will work.

Undetected malware on your computer can also send passwords used to access your site to hackers. Check your computer.

As backdoors or other hidden code may have been installed on your site, I suggest you restore your site from a known clean backup or overwrite all Joomla files from a 1.5.15 full install package. Remove the installation directory after overwriting to enable the site again.

Also check the Security Checklist for additional information on how to secure your site:
http://docs.joomla.org/Category:Security_Checklist

Review all, specifically number 7

jeffchannell · Post by **jeffchannell** » Sun Nov 29, 2009 11:12 pm

http://jeffchannell.com/Joomla/joomla-r ... urity.html
http://forum.joomla.org/viewtopic.php?f=199&t=435890

When is this going to be fixed? I've been howling about it a while now...

Post by **mandville** » Mon Nov 30, 2009 4:13 am

so just to be clear, does this start with a vulnerable extension or the poor reset.
if its a vulnerable extension then the strike team cant action, its down to "sloppy" developers
http://docs.joomla.org/Vulnerable_Extensions_List

jeffchannell · Post by **jeffchannell** » Mon Nov 30, 2009 6:46 am

mandville - when I finish with this contract I'm working on, I'm seriously considering just submitting a patch myself to address this as a holiday gift to the Joomla community. Sloppy programming or not, if there's something that can be done in core to mitigate this then I say go for it.

krautela · Post by **krautela** » Mon Nov 30, 2009 10:12 am

mandville wrote:so just to be clear, does this start with a vulnerable extension or the poor reset.
if its a vulnerable extension then the strike team cant action, its down to "sloppy" developers
http://docs.joomla.org/Vulnerable_Extensions_List

i think there is issue with reset as well. In my site I have not put any frontend login option ... ( no module for that). Now person who know joomla extension can easily trigger frontend login as well.

this is where it was a shock to me that from frontend one was able to do this.

jeffchannell · Post by **jeffchannell** » Mon Nov 30, 2009 10:16 am

krautela: there are options to disable new user registration within the global site management

That said, an option to disable com_user altogether on the frontend is an interesting idea. I smell a plugin...

fcoulter · Post by **fcoulter** » Mon Nov 30, 2009 8:19 pm

Since it is the reset password function that causes the problem I have been thinking that it would be useful to be able to disable that for selected users.

I have written a simple plugin that does this, you can download it from my site at

http://www.spiralscripts.co.uk/Joomla-P ... k.tpl.html

I agree with jeffchannell's concerns - the fact is that sql injection is a common vulnerability in extensions, it ought not to be, but in all likelihood it will carry on being a problem. So it does make sense to make this particular exploit more difficult.

Post by **mandville** » Mon Nov 30, 2009 8:53 pm

thanks for that, is there any way that we can d/l it without signing up to the cart? or drop a little copy for JeffC and myself.

fcoulter · Post by **fcoulter** » Mon Nov 30, 2009 8:59 pm

I have changed it so there is a direct download link.

Post by **mandville** » Mon Nov 30, 2009 9:17 pm

thanks, much appreciated

jeffchannell · Post by **jeffchannell** » Mon Nov 30, 2009 9:31 pm

Update for those following: ian_mac passed this on to the devs and we may see an update for this soon.

Post by **mandville** » Mon Nov 30, 2009 9:39 pm

also loaded into JSST forum for reference discussion