New hight security issue was found in Joomla 1.5.x that allow remote admin password change. Reproducible: Always Steps to Reproduce: The proof of concept is very simple, follow this steps: 0×01) open your browser and go to url: http:www.target.com/index.php?option=com_user&view=reset&layout=confirm (switch www.target.com with your website, and remember to add path if you have ex. /joomla/) 0×02) Write into text input box the char ‘ and Click OK. (if you see this text input box you are vulnerable) 0×03) Now you are able to write in the new text input the new password for admin. 0×04) go to url http://www.target.com/administrator/ and try to login. How to apply provisional fix: This isnt a real fix, but with it you can keep out stupid crackers, follow this steps if you result vulnerable. 0×01) Login in admin panel and go to user management panel. 0×02) create a new SuperAdmin user and logout to admin panel. 0×03) Login in admin panel with new user, and go to user management panel. 0×04) remove all privileges to old admin (switch privilege to registred user) and disable this user. I'm working to write a fix, joomla people too.
Created attachment 162799 [details, diff] attaching fix.
web-apps, please patch/bump accordingly. Upstream also released a new version: http://developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html Setting ~1 as the admin probably has possibilities of executing arbitrary PHP code (not sure if this is correct in case of a masked package?)
Removed joomla-1.0.15 and joomla-1.5.5, added joomla-1.5.6. Was already hard masked for security reasons. webapps done.
All done here.
