A new urgent patch for Joomla fixes a critical password-reset forgery issue that could compromise Joomla content management system. The open-source group warns in an [1] advisory that the issue affects Joomla version 1.5.5 and all previous 1.5 releases. The exploit is publicly available and being actively exploited already.

A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, Joomla maintainers warn that the only way to completely rectify the issue is to upgrade to version 1.5.6 or patch the /components/com_user/models/reset.php file.

In order to patch the /components/com_user/models/reset.php, after global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
$this->setError(JText::_(’INVALID_TOKEN’));
return false;
}