Joomla "token" Password Change Vulnerability

SECUNIA ADVISORY ID:
SA31457

VERIFY ADVISORY:
http://secunia.com/advisories/31457/

CRITICAL:
Moderately critical

IMPACT:
Security Bypass, Manipulation of data

WHERE:
>From remote

SOFTWARE:
Joomla! 1.x
http://secunia.com/product/5788/

DESCRIPTION:
d3m0n has reported a vulnerability in Joomla!, which can be exploited
by malicious people to bypass certain security restrictions and
manipulate data.

The vulnerability is caused due to improper access restriction in
components/com_user/models/reset.php. This can be exploited to bypass
the authentication mechanism and change the password of the user with
the lowest ID (typically the administrator), without having valid
user credentials.

The vulnerability is reported in all 1.5.x versions prior to 1.5.6.

SOLUTION:
Update to version 1.5.6.

PROVIDED AND/OR DISCOVERED BY:
d3m0n

The vendor credits Marijke Stuivenberg.

ORIGINAL ADVISORY:
Joomla!:
http://developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html

d3m0n:
http://milw0rm.com/exploits/6234

RECENT ARTICLE

RECENT POST