Joomla 1.5.25/1.7.3 Released (Security Update)

If you are using Joomla, now is the time to update it. A new version was just released for the 1.5.x and 1.7.x branches fixing a high priority security issue that will allow remote users to change other users passwords (even on admin account).

More details on the Joomla website and here.

Weak random number generation during password reset leads to possibility of changing a user’s password.

Affected Installs:

  • Joomla! version 1.5.24 and all earlier 1.5 versions
  • Joomla! versions: 1.7.2 and all 1.6.x versions


diff -ur joomla-1-5-24/libraries/joomla/user/helper.php joomla-1-5-25/libraries/joomla/user/helper.php
— joomla-1-5-24/libraries/joomla/user/helper.php 2010-01-26 10:10:00.000000000 -0400
+++ joomla-1-5-25/libraries/joomla/user/helper.php 2011-11-13 21:18:53.000000000 -0400
@@ -285,11 +285,6 @@
– $stat = @stat(__FILE__);
– if(empty($stat) || !is_array($stat)) $stat = array(php_uname());

– mt_srand(crc32(microtime() . implode(‘|’, $stat)));

for ($i = 0; $i < $length; $i ++) { $makepass .= $salt[mt_rand(0, $len -1)]; }

Please update!

About David Dede

David Dede is a Security Researcher at Sucuri. He spends most of his time dissecting vulnerabilities and security issues. You won't find him on Twitter because he is paranoid about privacy.

  • AML

    I’m trying to puchase your program but I’m having trouble paying through Paypal. I calledthem they said it’s not their issue…I am not getting a response from your email team! Please help. I really need to purchase this.

    • Andres Armeda

      Hi, please contact sales and we can work with you from there.


  • eagesa

    Is there one in the market yet?

Share This