Password remind flaw in Joomla! 1.5.x

One of my sites uses Joomla! and the last day the password of the admin was changed. Shit! I thought that I had an intruder. Carefull inspection showed that there was nobody on the server beside me - the hacker could have gained my user account, but I remember what I did the last time so only the password was changed. Now I found out that the hacker used password remind flaw. After upgrade, I logged into the DB and updates the password with MD5 hash obtained from Paj's Home: Crypto... site.

UPDATE jos_users SET password='MD5HASH' WHERE id='???';

Alternatively, I could use this

UPDATE jos_users SET password=PASSWORD('???') WHERE id='???';

but then it is better to remove the .mysql history file!

No comments: