There is always a great deal of Joomla! development activity underway and communicating with other developers in the community is essential. This site is a resource for anyone looking to build or maintain software based on the Joomla platform

  • Project: Joomla!
  • SubProject: com_user
  • Severity: Critical
  • Versions: 1.5.5 and all previous 1.5 releases
  • Exploit type: Password Reset Forgery
  • Reported Date: 2008-August-12
  • Fixed Date: 2008-August-12

Description

A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, the only way to completely rectify the issue is to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file).

Affected Installs

All 1.5.x installs prior to and including 1.5.5 are affected.

Solution

Upgrade to latest Joomla! version (1.5.6 or newer), or patch /components/com_user/models/reset.php with the code below:

After global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
	$this->setError(JText::_('INVALID_TOKEN'));
	return false;
}

Contact

This email address is being protected from spambots. You need JavaScript enabled to view it.

Reported By: Joomla! Bug Squad Member Marijke Stuivenberg

As news came out today that there’s a vulnerability on HTTP_PROXY infecting CGI application on PHP, Python, Go and others known as httpoxy. The Production Leadership Team and the Joomla! Project wants to raise awareness of this to it’s users.

The Joomla! core itself is not affected in any way by this vulnerability, but third party extensions using specific PHP libraries might be. As of now we have no further information on which third parties extensions may use any affected libraries, so we ask all of our users to check with their extension providers to see if their extension might be affected. The HTTP protocol is used to make requests for information on the Internet, such as to load a web page, image file, or data from a RESTful API.

More information on the vulnerability can be found at : https://httpoxy.org/

For example we know the Guzzle library (a very popular one) is affected, therefore it’s recommended to update the library as soon as possible. For this specific library you can find a fix on github at the following link : https://github.com/guzzle/guzzle/commit/9d521b23146cb6cedd772770a2617fd6cbdb1596 or via Composer.

If you are not sure what libraries are used by your Third Party extension providers, please contact them. If you see updates in the next few days from these developers, please apply them.


Joomla! raises awareness on the HTTP_PROXY vulnerability

The Joomla UX team is conducting research to improve future versions of Joomla and we want your feedback! The goal of this survey is to gather user feedback regarding the recent Joomla 3.5 release. The feedback we receive will shape the direction of our process and our future research efforts.

This survey is fairly short and simple, it should take around 5 to 10 minutes to complete. The more feedback we get the more we can help our users - including you!. Please share this survey with your local Joomla communities, JUG groups, and spread the word on social media.

Take the Joomla 3.5 survey now!


Joomla 3.5: We Want Your Feedback

After feedback from the community the PLT agreed at their meeting on Sunday 1st May 2016 to release the improvements to the Joomla Update Component, containing a reinstall button and reinstating the ability to update Joomla via file upload, as soon as possible.

With our versioning policy (available at https://developer.joomla.org/news/586-joomla-development-strategy.html) this means that we must make a minor release. As a result rather than making a 3.5.2 release we will instead make a 3.6.0 release.

The features that originally were planned to ship with 3.6 (for example the refactored routing system and the custom fields component) will now be made in a 3.7 release. The timescale for the 3.7 release will be roughly unchanged and will still be led by Chris Davenport.

The full PLT minutes for this meeting will be published very soon in the usual reports section on the volunteer portal and will contain the planned release dates for 3.6.


Version Number Shifting