Daily cyber threats and internet security news: network security, online safety and latest security alerts
August 13th, 2008

Critical Password-Reset Forgery Vulnerability In Joomla

A new urgent patch for Joomla fixes a critical password-reset forgery issue that could compromise Joomla content management system. The open-source group warns in an advisory that the issue affects Joomla version 1.5.5 and all previous 1.5 releases. The exploit is publicly available and being actively exploited already.

A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, Joomla maintainers warn that the only way to completely rectify the issue is to upgrade to version 1.5.6 or patch the /components/com_user/models/reset.php file.

In order to patch the /components/com_user/models/reset.php, after global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
return false;

Share this item with others:

More on CyberInsecure:
  • WordPress 2.8.3 Remote Admin Password Reset Vulnerability
  • Several SourceForge Servers Breached, All Passwords Are Being Reset
  • US Congressional Websites Hit By Mass Defacement Attack
  • PlentyOfFish Resets User Passwords After Registration Details Theft
  • Drupal Multiple XSS and Request Forgery Vulnerabilities

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Critical Password-Reset Forgery Vulnerability In Joomla

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.