login impossible afster Session Hardening patch

Discussion regarding Joomla! 1.5 security issues.
Joomla! Vulnerable Extensions: http://feeds.joomla.org/JoomlaSecurityV ... Extensions

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
Locked
boossy
Joomla! Apprentice
Joomla! Apprentice
Posts: 9
Joined: Sun Apr 08, 2012 9:22 pm

login impossible afster Session Hardening patch

Post by boossy » Thu May 05, 2016 2:36 pm

Hi,

I still have one Joomla 1.5 site (1.5.26) - it will be replaced this summer. Today, I installed the security hotfixes for Joomla EOL versions:
- File Upload Security Patch
- Remote Code Execution = Session Hardening Patch
However, after installation of the Session Hardening patch, I can no longer login to the site, neither front end nor back end. I get no error message, so I suppose my password is accepted, but I can't get through. I also retried after clearing the cache, to no avail.

Replacing the new session.php by the old, vulnerable session.php makes the site accessible again. If I were the only one to make changes to the site, I could live with it, but other users also need access.

Any advice?

Kind regards

Boossy

itoctopus
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 4027
Joined: Mon Nov 25, 2013 4:35 pm
Location: Montreal, Canada
Contact:

Re: login impossible afster Session Hardening patch

Post by itoctopus » Thu May 05, 2016 7:08 pm

Can you attach the new session.php file here? Technically, you can solve the problem by removing (or commenting out) the following lines in the original session.php file:

Code: Select all

$this->set( 'session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']);
and

Code: Select all

$this->set( 'session.client.browser', $_SERVER['HTTP_USER_AGENT']);
and that's it.

A good idea is to also add the following line to your .htaccess file:

Code: Select all

RewriteCond %{HTTP_USER_AGENT} .*\{.* [NC]
RewriteRule .* - [F,L]
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter


Locked

Return to “Security in Joomla! 1.5”