Welcome to WebmasterWorld Guest from 22.214.171.124
Forum Moderators: ergophobe
A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, the only way to completely rectify the issue is to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file).
(from Joomla! Developer [developer.joomla.org])
I don't want people to be misled about the right amount of time to do an update. Even a simple update should take some thought...
1. Back up all files including your existing joomla installation and database.
2. Copy the existing site to a new location (let's call this a test site) where you're going to apply the patch.
3. Apply the patch to your test site location.
4. Switch from your existing site to the test site and make sure everything is working. (If not, just switch back to the old location.)
5. Once you're totally convinced the new site is working properly backup everything again and delete the old installation.
Skip a step and you're relying on luck. Take these precautions and you're a webmaster.
[edited by: BillyS at 2:33 am (utc) on Aug. 15, 2008]