How does this Joomla password reset exploit work?

Question

One of our Joomla sites got hacked and the attacker replaced my template's index.php with his ugly page - "Hacked" heading and some arabic lines in red. Apparently, the attacker some how reset the password(and email address too) of first user in the users table, which was the super user, and gained access to administration panel.

After doing a quick recovery, I searched net to prevent future hacking attempt and found this article: Security News-[20080801] - Core - Password Remind Functionality

I put the code from that article to patch my reset.php

But I am still having doubts. The article doesn't say anything about how the exploit really work. But I read some where in the internet that this is an SQL injection vulnerability in reset.php

The line executing SQL to check the token:

$db->setQuery('SELECT id FROM #__users
                         WHERE block = 0
                           AND activation = '.$db->Quote($token));

is using the JDatabase::Quote() method. Then how does some SQL injection become possible. Isn't Quote supposed to prevent an SQLi? Joomla version of attacked site is 1.5.18.

Another doubt is in the patch checking only to verify string length of 32. How could it prevent the exploit.

I'm wondering if an SQLi can really pass Quote method then wouldn't a string length of 32 be more than enough to bypass that WHERE clause?

    if(strlen($token) != 32) {
        $this->setError(JText::_('INVALID_TOKEN'));
        return false;
    }

Answer 1

The problem was that the token value was not validated at all but only cleaned from non-alphanumeric characters. And the exploit was to just enter a single ' that was filtered out so that the effective token value was an empty string that resulted in something like this:

SELECT id FROM #__users WHERE block = 0 AND activation = ""