Joomla! Predictable Password Generation And Information Disclosure Vulnerabilities

Bugtraq ID:	52750
Class:	Unknown
CVE:	CVE-2012-1598 CVE-2012-1599
Remote:	Yes
Local:	No
Published:	Mar 28 2012 12:00AM
Updated:	Mar 19 2015 09:17AM
Credit:	George Argyros,Aggelos Kiayias and Cyrille Barthelemy
Vulnerable:	Joomla Joomla! 2.5.3 Joomla Joomla! 2.5.2 Joomla Joomla! 2.5.1 Joomla Joomla! 2.5 Joomla Joomla! 1.5.23 Joomla Joomla! 1.5.22 Joomla Joomla! 1.5.20 Joomla Joomla! 1.5.19 Joomla Joomla! 1.5.18 Joomla Joomla! 1.5.17 Joomla Joomla! 1.5.16 Joomla Joomla! 1.5.15 Joomla Joomla! 1.5.14 Joomla Joomla! 1.5.12 Joomla Joomla! 1.5.11 Joomla Joomla! 1.5.10 Joomla Joomla! 1.5.9 Joomla Joomla! 1.5.8 Joomla Joomla! 1.5.7 Joomla Joomla! 1.5.5 Joomla Joomla! 1.5.4 Joomla Joomla! 1.5.6 Joomla Joomla! 1.5.3 Joomla Joomla! 1.5.21 Joomla Joomla! 1.5.13
Not Vulnerable:	Joomla Joomla! 2.5.4 Joomla Joomla! 1.5.26

Joomla! Predictable Password Generation And Information Disclosure Vulnerabilities

Joomla! is prone to an insecure password generation vulnerability and an information-disclosure vulnerability.

Successful attacks can allow an attacker to obtain sensitive information and guess generated passwords.

Joomla! 1.5.x through versions prior to 1.5.26 are vulnerable.

Joomla! Predictable Password Generation And Information Disclosure Vulnerabilities

Attackers can use a browser to exploit these issues.

Joomla! Predictable Password Generation And Information Disclosure Vulnerabilities

Solution:
Vendor patch is available. Please see the reference for more details.

Joomla! Predictable Password Generation And Information Disclosure Vulnerabilities

References:

• [20120305] - Core - Password Change (Joomla)
  
• [20120306] - Core - Information Disclosure (Joomla)
  
• Joomla 2.5.4 Released (Joomla)
  
• Joomla Homepage (Joomla)
  
• JOOMLA! 1.5.26 RELEASED (Joomla)