Joomla 1.5.25/1.7.3 Released (Security Update)

If you are using Joomla, now is the time to update it. A new version was just released for the 1.5.x and 1.7.x branches fixing a high priority security issue that will allow remote users to change other users passwords (even on admin account).

More details on the Joomla website and here.

Description:
Weak random number generation during password reset leads to possibility of changing a user’s password.

Affected Installs:

  • Joomla! version 1.5.24 and all earlier 1.5 versions
  • Joomla! versions: 1.7.2 and all 1.6.x versions

Changelog:

diff -ur joomla-1-5-24/libraries/joomla/user/helper.php joomla-1-5-25/libraries/joomla/user/helper.php
— joomla-1-5-24/libraries/joomla/user/helper.php 2010-01-26 10:10:00.000000000 -0400
+++ joomla-1-5-25/libraries/joomla/user/helper.php 2011-11-13 21:18:53.000000000 -0400
@@ -285,11 +285,6 @@
– $stat = @stat(__FILE__);
– if(empty($stat) || !is_array($stat)) $stat = array(php_uname());

– mt_srand(crc32(microtime() . implode(‘|’, $stat)));

for ($i = 0; $i < $length; $i ++) { $makepass .= $salt[mt_rand(0, $len -1)]; }

Please update!

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • AML

    I’m trying to puchase your program but I’m having trouble paying through Paypal. I calledthem they said it’s not their issue…I am not getting a response from your email team! Please help. I really need to purchase this.

    • http://armeda.com/ Andres Armeda

      Hi, please contact sales sucuri.net and we can work with you from there.

      Thanks,
      Dre

  • eagesa

    Is there one in the market yet?

Share This