Feeling Lucky
?
[#18521] - Hackers creating user accounts when user accounts inactive
- Closed
- 7 Nov 2017
- Medium
- Build: 3.8.1
- # 18521
Steps to reproduce the issue
I can't give you steps, all I know is a hacker created a user through Joomla 3.8.1 with no problem and activated themselves. I have the newest Admin Tools on. I have htaccess up. I have htaccess blocking admin login page, but they still get through. I update all my extensions regularly. I am now on 3.8.2 and have installed a different security system. What I don't understand is how they are creating user accounts and activating them when even though that system is off, I have set it to administration activation. I never see any emails from the system telling me a new user has been created.
Expected result
No one should be able to create user
Actual result
Hacker created user with no problem
System information (as much as possible)
Joomla 3.8.1 PHP 5.6
Additional comments
joomla-cms-bot
- | Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2017-11-07 23:17:10 |
| Closed_By | ⇒ | zero-24 |
That don't protect you. ;)
Just double check how to disable the user registation: https://docs.joomla.org/J3.x:Disabling_user_registration/en and enable a captcha https://docs.joomla.org/How_do_you_use_Recaptcha_in_Joomla%3F/en
That should block the most requests.
That sounds like a hack than or a broken extension. Please report back to when this comes up after doing the steps above so we can take a closer look into that issue.
As this is not a general technical problem and the user registration is disabled for new installs i'm going to close this issue. If you need more help please contact the joomla forums at: https://forum.joomla.org Thanks!