Our Joomla sites got compromised and also the attacker changed my template's index.php together with his ugly page - "Compromised" heading plus some arabic lines in red-colored. Apparently, the attacker some how totally reset the password(and current email address too) of first user within the customers table, that was the super user, and acquired use of administration panel.
After carrying out a quick recovery, I looked internet to avoid future hacking attempt and located this short article: Security News- - Core - Password Help remind Functionality
I place the code from it to patch my totally reset.php
However I am still getting doubts. The content does not say anything about how exactly the exploit go a long way. However I read some place online that it is really an SQL injection vulnerability in totally reset.php
The road performing SQL to determine the token:
$db->setQuery('SELECT id FROM #__customers WHERE block = AND activation = '.$db->Quote($token))
is applying the JDatabase::Quote() method. Then so how exactly does some SQL injection become possible. Is not Quote designed to prevent an SQLi? Joomla version of assaulted website is 1.5.18.
Another doubt is incorporated in the patch checking simply to verify string period of 32. How could it avoid the exploit.
I am wondering if the SQLi can definitely pass Quote method then wouldn't a string period of 32 be ample to bypass that WHERE clause?
if(strlen($token) != 32)
The issue could be that the token value wasn't validated whatsoever only washed from non-alphanumeric figures. And also the exploit ended up being to just enter just one
' which was strained out to ensure that the effective token value was a clear string that led to something similar to this:
Choose id FROM #__customers WHERE block = AND activation = ""