There has been a spate of hacking against a popular open source software package called Joomla using a password forgery hack to reset the administrative password on your Joomla powered site.
This hack was originally reported and fixed August 12th 2008 on the Joomla web site, but many sites have been hacked fairly badly to serve up malware and other nasty bugs for those sites that did not upgrade their systems in time. The problem is that there is not a specific patch for this issue, rather you need to upgrade to Joomla version 1.5.6, so those using a hosting companies package, are not able to update or just are not paying enough attention to contact the ISP to update the package. In this case, the user is truly on their own if the ISP is providing the Joomla package. Joomla reports that:
A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, the only way to completely rectify the issue is to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file). Affected Installs are all 1.5.x installs prior to and including 1.5.5 are affected. Source: Joomla SecurityHowever, belsec reports that there are deep issues with the fix/workaround for this issue.
When an exploit is out it is a ratrace between the vulnerable and the attackers. It is the enormous responsability of the distributors of the software to get out the patch and to manage the operation untill the situation is under control again. This is not the case with Joomla and this seems to be growing out of control. The problem for the security community is that now a whole infrastructure of hacked websites is being set up that can be used to install viruses, illegal downloads, spamming pages, attack scripts and whatever you would like to place on another page and not your own. Source: BelsecWhile many of us are familiar with the release patching system, an upgrade to a completely new version, even a minor version can be difficult. This is not an easy issue, it is like getting some 200 patches from Oracle, you have to test the system, make sure that things cross over well, make sure that all the dependencies are addressed and if needed, ramp up some internal coding sources to fix or address the dependencies. Changing the first user name is an ok way of doing things if people remember that they changed their login name. If the install is an older install, there are dependencies in the naming convention if there is remote management involved, or using bad coding practices, remote systems that latch onto Joomla in an automated fashion to gather data. Those dependencies are also something that needs to be address. There is also a chunk of code that can be used to reset the token authorization number to !=32, however that can be generally faked in your own hacking code to always return any number but 32, and continue hacking the Joomla system. This is not a security patch, this is a code work around that is easily used for hacking.
While belsec rails against the amount of time it has taken Joomla users to update their systems, especially those Joomla installs that are packaged as part of an ISP package, there is not much users will be able to do here, as it will fall to the ISP to do the updates across all the installs.
About the Author:
Dan Morrill runs Techwag, a site all about his views on social media, education, technology, and some of the more interesting things that happen on the internet. He works at CityU of Seattle as the Program Director for the Computer Science, Information Systems and Information Security educational programs.