tom’s blog

The password of the user with the lowest ID (typically an administrator) can be reset by an unauthorized user in Joomla 1.5.x installations prior version 1.5.6 because of a bug in the password remind functionality.

All 1.5.x installations prior to and including 1.5.5 are affected

The Joomla developer team advises to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file with the code below).

After global $mainframe; on line 113 of reset.php, add:

if(strlen($token) != 32) {
    $this->setError(JText::_('INVALID_TOKEN'));
    return false;
}


 
See: Joomla! Developer - Password Remind Functionality

If not already done, enable “Override” for Options and FileInfo in your apache configuration (needed for mod_rewrite and symlinks):

<Directory "/srv/www/htdocs/##user##/html">
AllowOverride Options FileInfo
</Directory>

Move the default htaccess.txt to .htaccess and activate SEF in your Joomla config. That’s all : )