com_user reset paswword is being used to hack joomla

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
krautela
Joomla! Apprentice
Joomla! Apprentice
Posts: 48
Joined: Mon Sep 25, 2006 1:14 pm

com_user reset paswword is being used to hack joomla

Post by krautela » Sat Nov 28, 2009 9:34 am

I discovered that some hackers have found a way to get the email id of administrator user and then they are able to invoke com_user's reset password utility as well.

i also saw that they used SQL injection on gcalendar component during this process.

i am not sure how they got the token for password change from the email of admin.!!

is there a way to disable pasword reset in the frontend?

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: com_user reset paswword is being used to hack joomla

Post by fcoulter » Sat Nov 28, 2009 2:19 pm

You should check that you have the latest version of Joomla 1.5.15, if not you should update immediately.

If this is a new problem affecting Joomla 1.5.15 then you should report it to the Joomla security team - see http://developer.joomla.org/security.html
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15153
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: com_user reset paswword is being used to hack joomla

Post by mandville » Sat Nov 28, 2009 2:45 pm

i would suggest you check the http://docs.joomla.org/Vulnerable_Extensions_List and see if any of your extensions are listed on there

You can remove the reset command from your core files.
I would start by removing the vulnerable extensions first
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15153
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: com_user reset paswword is being used to hack joomla

Post by mandville » Sun Nov 29, 2009 12:54 am

You have received a new private message from "krautela" to your account on
"Joomla!" with the following subject:
Re: com_user reset paswword is being used to hack joomla
You can view your new message by clicking on the following link:
http://forum.joomla.org/ucp.php?i=pm&folder=inbox
PM actioned as per my signature.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/

krautela
Joomla! Apprentice
Joomla! Apprentice
Posts: 48
Joined: Mon Sep 25, 2006 1:14 pm

Re: com_user reset paswword is being used to hack joomla

Post by krautela » Sun Nov 29, 2009 4:59 am

mandville wrote: PM actioned as per my signature.
whats that?

User avatar
PhilD
Joomla! Hero
Joomla! Hero
Posts: 2737
Joined: Sat Oct 21, 2006 10:20 pm
Location: Wisconsin USA
Contact:

Re: com_user reset paswword is being used to hack joomla

Post by PhilD » Sun Nov 29, 2009 4:59 pm

This is not a "new" problem as was suggested by fcoulter and you have been hacked. The cause usually is an extension that allows sql injection. Gcalendar should be updated as well as all extensions, Joomla, and templates to the latest version or removed. Gcalendar is on the vulnerability list. If the new version of Gcalendar does not work correctly for you, (it did not for me) then I suggest you do without or find another extension that will work.

Undetected malware on your computer can also send passwords used to access your site to hackers. Check your computer.

As backdoors or other hidden code may have been installed on your site, I suggest you restore your site from a known clean backup or overwrite all Joomla files from a 1.5.15 full install package. Remove the installation directory after overwriting to enable the site again.

Also check the Security Checklist for additional information on how to secure your site:
http://docs.joomla.org/Category:Security_Checklist

Review all, specifically number 7
PhilD

jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: com_user reset paswword is being used to hack joomla

Post by jeffchannell » Sun Nov 29, 2009 11:12 pm

http://jeffchannell.com/Joomla/joomla-r ... urity.html
http://forum.joomla.org/viewtopic.php?f=199&t=435890

When is this going to be fixed? I've been howling about it a while now...
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15153
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: com_user reset paswword is being used to hack joomla

Post by mandville » Mon Nov 30, 2009 4:13 am

so just to be clear, does this start with a vulnerable extension or the poor reset.
if its a vulnerable extension then the strike team cant action, its down to "sloppy" developers
http://docs.joomla.org/Vulnerable_Extensions_List
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/

jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: com_user reset paswword is being used to hack joomla

Post by jeffchannell » Mon Nov 30, 2009 6:46 am

mandville - when I finish with this contract I'm working on, I'm seriously considering just submitting a patch myself to address this as a holiday gift to the Joomla community. Sloppy programming or not, if there's something that can be done in core to mitigate this then I say go for it.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

krautela
Joomla! Apprentice
Joomla! Apprentice
Posts: 48
Joined: Mon Sep 25, 2006 1:14 pm

Re: com_user reset paswword is being used to hack joomla

Post by krautela » Mon Nov 30, 2009 10:12 am

mandville wrote:so just to be clear, does this start with a vulnerable extension or the poor reset.
if its a vulnerable extension then the strike team cant action, its down to "sloppy" developers
http://docs.joomla.org/Vulnerable_Extensions_List
i think there is issue with reset as well. In my site I have not put any frontend login option ... ( no module for that). Now person who know joomla extension can easily trigger frontend login as well.

this is where it was a shock to me that from frontend one was able to do this.

jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: com_user reset paswword is being used to hack joomla

Post by jeffchannell » Mon Nov 30, 2009 10:16 am

krautela: there are options to disable new user registration within the global site management

That said, an option to disable com_user altogether on the frontend is an interesting idea. I smell a plugin...
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: com_user reset paswword is being used to hack joomla

Post by fcoulter » Mon Nov 30, 2009 8:19 pm

Since it is the reset password function that causes the problem I have been thinking that it would be useful to be able to disable that for selected users.

I have written a simple plugin that does this, you can download it from my site at

http://www.spiralscripts.co.uk/Joomla-P ... k.tpl.html

I agree with jeffchannell's concerns - the fact is that sql injection is a common vulnerability in extensions, it ought not to be, but in all likelihood it will carry on being a problem. So it does make sense to make this particular exploit more difficult.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15153
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: com_user reset paswword is being used to hack joomla

Post by mandville » Mon Nov 30, 2009 8:53 pm

thanks for that, is there any way that we can d/l it without signing up to the cart? or drop a little copy for JeffC and myself.
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/

User avatar
fcoulter
Joomla! Ace
Joomla! Ace
Posts: 1685
Joined: Thu Sep 13, 2007 11:39 am
Location: UK
Contact:

Re: com_user reset paswword is being used to hack joomla

Post by fcoulter » Mon Nov 30, 2009 8:59 pm

I have changed it so there is a direct download link.
http://www.spiralscripts.co.uk for Joomla! extensions
http://www.fionacoulter.com/blog my personal website
Security Forum moderator :: VEL team member
"Wearing my tin foil hat with pride"

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15153
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: com_user reset paswword is being used to hack joomla

Post by mandville » Mon Nov 30, 2009 9:17 pm

thanks, much appreciated
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/

jeffchannell
Joomla! Ace
Joomla! Ace
Posts: 1964
Joined: Tue Jun 09, 2009 2:21 am
Location: WV
Contact:

Re: com_user reset paswword is being used to hack joomla

Post by jeffchannell » Mon Nov 30, 2009 9:31 pm

Update for those following: ian_mac passed this on to the devs and we may see an update for this soon.
http://jeffchannell.com - Joomla Extensions & Support
http://biziant.com - Open Joomla Firewall/IDS
Unsolicited private messages/emails = hire me to fix your problem.
καλλιστι

User avatar
mandville
Joomla! Master
Joomla! Master
Posts: 15153
Joined: Mon Mar 20, 2006 1:56 am
Location: The Girly Side of Joomla in Sussex

Re: com_user reset paswword is being used to hack joomla

Post by mandville » Mon Nov 30, 2009 9:39 pm

also loaded into JSST forum for reference discussion
HU2HY- Poor questions = Poor answer
Un requested Help PM's will be reported, added to the foe list and possibly just deleted
portable mini golf https://www.putterspalace.co.uk/


Locked

Return to “Security in Joomla! 1.5”