One of the Joomla sites was hacked, and the attacker replaced my index.php template with his ugly page - a “hacked” heading and some Arabic lines in red. Apparently, the attacker somehow reset the password (and email address) of the first user in the user table, which was superuser, and gained access to the admin panel.
After a quick recovery, I searched the network to prevent a future hacking attempt, and found this article: Security News - [20080801] - Basic Functions - Forgot Password
I put the code from this article to fix my reset.php
But I still have doubts. The article does not say anything about how the exploit works. But I read where on the Internet that this is a SQL injection vulnerability in reset.php
The line that executes SQL to validate the token:
$db->setQuery('SELECT id FROM #__users
WHERE block = 0
AND activation = '.$db->Quote($token));
uses the JDatabase :: Quote () method. Whereas some kind of SQL injection is possible. Isn't Quote supposed to prevent SQLi? Version of the attacked site Joomla 1.5.18.
Another doubt is checking the patches only to check the length of line 32. How could this have prevented the exploit.
I am wondering if SQLi can really pass the Quote method, and is not the 32 string length more than enough to get around this WHERE clause?
if(strlen($token) != 32) {
$this->setError(JText::_('INVALID_TOKEN'));
return false;
}
source
share