Joomla! 1.5.6 Security Release

The Joomla! core team has released version 1.5.6 of the Joomla! CMS. This is a security release, and it is a mandatory, immediate upgrade. The rest of this article focuses on the attack itself, what you can do to secure your site, and where to get help if you need it.

While the Joomla! Updater is very close to being able to upgrade your Joomla! based websites to the latest version, that functionality is not quite ready for release. In the meantime, you need to perform a manual upgrade of your site.

The Problem

The attack centers around the ability for an anonymous web request to change the first user in the database password to one that the attacker knows - but you do not. That user, usually id #62, is typically the "admin" user with "Super Administration" capabilities - i.e. the sites superuser.

This change typically has two consequences:

1. You become locked out of your website
2. If the attacker knows the username (usually admin) they can then get into your Joomla! website and have full access to all the admin's capabilities.

What To Do

The best defense against this attack is to upgrade your existing website to the latest Joomla! version (1.5.6 as of this writing).

But if you can't do that - say, you are running JACL or some other program that "hacks" the Joomla! Core, or you simply don't have time at this moment* - there are a few other options. *Make time.

There is a 4 line patch on you can find on the Joomla Security Blog.

You can change the username of the first user, from "admin" to something else. This won't stop people from resetting your password and locking you out, but it may prevent them from getting "in".

You can also insert into the database (as user #61, for example) a "dummy" user who is "blocked". Thus a password reset will have no effect.

Personally, I'm implementing all three options on my site and the sites of my clients - upgrading the core, adding an additional "dummy" user, AND changing the "admin" username to something a little less obvious.

Help Is Available

If you've been locked out, need a site upgraded or secured, you can put in a single ticket and our professional staff will upgrade your site to 1.5.6 and implement the security fixes described, above. The fee is $39.95, and we're aiming for 4 hour (or less) response time over the next few days. Another source for help is Phil Taylor at Joomla-Expert.com (he charges about 50GPB per hour ... I think that's ~$100usd).

One final Warning

I have a lot of joomla! sites sitting around, and have "automatically" upgraded them. But that's not enough. If a "bad guy" has reset the admin password on a site you don't normally use, they could "already be in" before you upgraded ... so you need to log into ALL of your sites. If you can login, you are probably safe, but changing the password doesn't hurt. If you can't login, then that probably means a bad guy has been there before you, and you need to take appropriate action.

These attacks are happening, today. I have clients who have been locked out, and even the Joomla.org site was defaced. This is not a matter to take lightly, nor one to put off. Drop everything and get your site secured right now.

You can find out more from the Joomla! site.