Joomla 1.5.25/1.7.3 Released (Security Update)

If you are using Joomla, now is the time to update it. A new version was just released for the 1.5.x and 1.7.x branches fixing a high priority security issue that will allow remote users to change other users passwords (even on admin account).

More details on the Joomla website and here.

Description:
Weak random number generation during password reset leads to possibility of changing a user’s password.

Affected Installs:

  • Joomla! version 1.5.24 and all earlier 1.5 versions
  • Joomla! versions: 1.7.2 and all 1.6.x versions

Changelog:

diff -ur joomla-1-5-24/libraries/joomla/user/helper.php joomla-1-5-25/libraries/joomla/user/helper.php
— joomla-1-5-24/libraries/joomla/user/helper.php 2010-01-26 10:10:00.000000000 -0400
+++ joomla-1-5-25/libraries/joomla/user/helper.php 2011-11-13 21:18:53.000000000 -0400
@@ -285,11 +285,6 @@
– $stat = @stat(__FILE__);
– if(empty($stat) || !is_array($stat)) $stat = array(php_uname());

– mt_srand(crc32(microtime() . implode(‘|’, $stat)));

for ($i = 0; $i < $length; $i ++) {
$makepass .= $salt[mt_rand(0, $len -1)];
}

Please update!

Scan your website for free:
About David Dede

Sucuri Security bot (crazy work) - Malware research updates, sucuri news and more.