Joomla! Two Security Bypass Vulnerabilities

SECUNIA ADVISORY ID:
SA48445

VERIFY ADVISORY:
Secunia.com
http://secunia.com/advisories/48445/
Customer Area (Credentials Required)
https://ca.secunia.com/?page=viewadvisory&vuln_id=48445

RELEASE DATE:
2012-03-16
DESCRIPTION:
A security issue and a vulnerability have been reported in Joomla!,
which can be exploited by malicious people to bypass certain security
restrictions.

1) Input passed via the "jform[groups]" parameter to index.php when
registering a new user is not properly verified before storing in the
session variable. This can be exploited to register a new user with
administrator privileges.

2) The security issue is caused due to the password generation
algorithm generating predictable passwords, which can be exploited to
guess a generated password when e.g. a password reset for a user is
triggered.

The security issue and vulnerability are reported in versions 2.5.0
through 2.5.2.

SOLUTION:
Update to version 2.5.3.

PROVIDED AND/OR DISCOVERED BY:
1) Jeff Channel.
2) The vendor credits George Argyros and Aggelos Kiayias.

ORIGINAL ADVISORY:
http://www.joomla.org/announcements/release-news/5416-joomla-253-released.html
http://jeffchannell.com/Joomla/joomla-161725-privilege-escalation-vulnerability.html