Joomla 1.7.3 and 1.5.25 security releases: Are they for me?

Lady thinkingIn case you missed this, the Joomla project has just released two new security-tagged releases for Joomla 1.7 and Joomla 1.5. The official note states: "High Priority - Core - Password Change Vulnerability".

Reading between the lines it looks like weak random number generation technics used in previous versions could lead to unwanted password changing. The obvious question is: Since I use Community Builder for my registration and login processes, should I be concerned?

As with any Joomla security release, the CB team spent some time to analyze the vulnerability and to assess the implications for Community Builder, all CB team add-ons, GroupJive and Incubator add-ons, and for the CB community and our own sites and hosting. When serious concerns exist, we inform the CB community through our homepage, our social channels, and our security mailing list.

For this specific Joomla vulnerability we have analyzed and studied the security advisories, code changes, PHP and Linux documentation, clarified unclear areas with discussions and done real testing. It became clear that three old lines of code that were there (since Joomla 1.0 and Mambo times) to enhance the security of the now obsolete PHP 4.1 (and below versions) had an opposite effect with more current PHP releases.

These 3 lines of code are in the function that generates a random password when a users password request is made using username and e-mail credentials. The three-liner would randomize the random sequence generator with a random seed using only the site installation date and time and current time in seconds and microseconds. While this might look as hard to guess at first glance, in fact only a part cannot be found in the case where Joomla was installed from a virtual disk image, and would have to be guessed by a brute force attack.

As the Joomla password reset function cannot be turned off, we highly recommend upgrading your Joomla installation if you are using it from a pre-installed virtual disk, or from a hosting panel installer which gives a fixed installation date. Manual installations are at a slightly lower risk regarding this Joomla vulnerability.

As Community Builder also provides password reset functionality, we have also immediately assessed the security of our own random password generator. Community Builder re-seeds the random sequence, using additional random values from different system parts and system-specific values to generate a truly random seed.

This combination makes the CB random password much stronger and practically immune to brute force attack. Certainly the CB developers' background in banking networking security and bulletproof military-grade cryptography has paid off today: CB 1.7.1 does not have this vulnerability and does not need a new security release.

Generally speaking we do recommend keeping all your Joomla and CB installations up to date to keep your sites safe. Joomla 1.7.3 additionally includes another minor security fix in the administration area and 77 bug fixes, so upgrade your Joomla 1.7 installation now!


Facebook Twitter LinkedIn