ergophobe
msg:3722163 | 4:28 pm on Aug 13, 2008 (gmt 0) |
A little more info | A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, the only way to completely rectify the issue is to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file). |
|
(from Joomla! Developer [developer.joomla.org])
|
wrockca
msg:3722166 | 4:32 pm on Aug 13, 2008 (gmt 0) |
Thx for the update...
|
ergophobe
msg:3722222 | 5:27 pm on Aug 13, 2008 (gmt 0) |
Cheers. The patch looks real simple if you don't want to do the full upgrade.
|
bateman_ap
msg:3722954 | 2:34 pm on Aug 14, 2008 (gmt 0) |
That first link seems to have been moved, try
[joomla.org...]
|
ecmedia
msg:3722956 | 2:41 pm on Aug 14, 2008 (gmt 0) |
Apparently it does not affect all installations.
All 1.5.x installs prior to and including 1.5.5 are affected.
There is a whole 1.0.X installations that are different.
|
bateman_ap
msg:3722957 | 2:44 pm on Aug 14, 2008 (gmt 0) |
The 1.5.5-6 process is very simple just doing a patch update. Took around 7 seconds all in all!
|
BillyS
msg:3723496 | 2:33 am on Aug 15, 2008 (gmt 0) |
>>The 1.5.5-6 process is very simple just doing a patch update. Took around 7 seconds all in all! I don't want people to be misled about the right amount of time to do an update. Even a simple update should take some thought... 1. Back up all files including your existing joomla installation and database.
2. Copy the existing site to a new location (let's call this a test site) where you're going to apply the patch.
3. Apply the patch to your test site location.
4. Switch from your existing site to the test site and make sure everything is working. (If not, just switch back to the old location.)
5. Once you're totally convinced the new site is working properly backup everything again and delete the old installation. Skip a step and you're relying on luck. Take these precautions and you're a webmaster. [edited by: BillyS at 2:33 am (utc) on Aug. 15, 2008]
|
ergophobe
msg:3723904 | 4:26 pm on Aug 15, 2008 (gmt 0) |
Not advocating living dangerously, but just FYI this particular patch is only a line or two in a single file. No matter. Upgrade time is always a good occasion for a comprehensive backup. Of course, your aggressive archiving strategy obviates the need for such measures, right? Right?
|
BillyS
msg:3724187 | 12:31 am on Aug 16, 2008 (gmt 0) |
I see a lot of posts that start with - How can I recover my website. Simple patches are simple, and yes, yes, I agree this is a good time to do a comprehensive backup (I thought that was what I was saying...).
|
ergophobe
msg:3724766 | 5:24 am on Aug 17, 2008 (gmt 0) |
I understood what you were saying. I was just saying that knowing that I have a dail DB archive, I will sometimes risk a simple change that does not effect the underlying data (i.e. a small change in one file). I'm not advocating it, but I do it.
|
|
