Joomla 1.5.x Exploit – How to fix

Sites being hacked, friends calling me to ask to fix, and long explanations about why this is happening, just drove me a little bit stressed, so I have decided to write a small how to for fixing this issue.

There are 3 basic steps that you need to do to fix a hacked Joomla 1.5.x website. It’s very simple, but you will need access to a FTP of your website.

1st. Restore the index.php file that is currently on your website. There’s a good chance that it have been replaced to a hacked one. If you don’t have one backup of your website (big mistake) download a newer version from Joomla and copy the index.php to your website.

2nd. Fix or replace the /components/com_user/models/reset.php file. For fixing is simple:

After global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
	$this->setError(JText::_('INVALID_TOKEN'));
	return false;
}

I have made a fix on this file and if you want to download it, be my guest, just hit here.

3rd. Ask for another password for your administrator user. For that you just need to write the site url and add this: index.php?option=com_user&view=reset.

The url will be something like this: http://www.yourDomainName.com/index.php?option=com_user&view=reset

Note: before you do this, be sure that you have access as a super administrator of the site, otherwise you might have a bigger headache to take care of.

Joomla 1.5 password reset exploit

Today I had one of my clients hacked with a recent exloit of the Joomla 1.5.x family. The exploit allows you to easily reset the first user password which usually is the administrator user. After some digging I could find how to reproduce the exploit and guess what, even a 5 years old could perform that. It’s so simple that’s scary.

Anyway if you are currently using Joomla 1.5.x you should upgrade it to 1.5.6.

More info at: http://developer.joomla.org/security/news/241-20080801-core-password-remind-functionality.html