Fixing the Joomla! 1.5 password remind vulnerability

August 28, 2008

I recently discovered that I was unable to use my administrator password to log into a couple of my Joomla! 1.5 websites. After a little searching on the web I realised that I had fallen victim to a security flaw in Joomla! 1.5 versions prior to 1.5.6.

I made the suggested change to /components/com_user/models/reset.php that had been posted on the Joomla! developer site, but that change only protects from subsequent attacks. I needed to mend an attack which had already occurred. That is, I needed to restore my password. These are the steps that I followed to do this:

I went into cPanel and into PHPMyAdmin.

I selected the jos_users table and clicked “Export”. I then exported the database table as SQL into a text file. This was partly a precaution in case I messed up the password restore.

I opened the file with Notepad++ (any other good text editor will do).

I looked for the insert statement that inserted the Super Administrator. The password field for the insertion looked something like “985fe88882d72fae432eee81b3b2f59b:05c12a287334386c94131ab8aa00d08a”.

I entered the string “mypassword05c12a287334386c94131ab8aa00d08a” into my favourite md5 hash generator and clicked on the button marked “md5”. That is, I entered my Super Administrator password ("mypassword") and appended to the end of it the string I found in the password field to the right of the colon (the seed hash) taking care, of course, not to leave any spaces at the end of the string.

I then took the resulting hash (in this case the hash was “10d366769b43167605bc63536bc019d5”) and cut and pasted the following string into my text editor: “10d366769b43167605bc63536bc019d5:05c12a287334386c94131ab8aa00d08a”. That is, I created a string which used the same seed hash (the hash to the right of the colon) as before but which had a new password hash (the hash to the left of the colon).

I now needed to change the password field of the Super Administrator to this new string. I went back into PHPMyAdmin and clicked on “Browse” for the jos_users table to discover the id of my Super Administrator (in my case it was 67).

I clicked on the “SQL” tab in PHPMyAdmin and entered an SQL statement to update the row. In my case (with id=67), I used:

UPDATE `jos_users` SET password = '10d366769b43167605bc63536bc019d5:05c12a287334386c94131ab8aa00d08a' WHERE id=67

I clicked on “Browse” to check that the change had been made. And then I tried using my administrator password... and it worked.

I imagine that a great number of Joomla! 1.5 websites have been hit by this attack, so I hope this post prevents someone from tearing out all their hair.