[PATCH AVAIL.] OpenSEF 2.0.0 RC5

For all Non-Joomla! security issues. ie 3pd Components etc.

Moderator: General Support Moderators

Forum rules
User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1366
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

[PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by RobS » Sat Jul 15, 2006 9:59 pm

There was a bug reported that looked like a security vulnerability in OpenSEF 2.0.0 RC5.  We later confirmed that it was indeed a security vulnerability and notified the developers who responded immediately and released a patch to fix the problem.  Please download it from the link below and follow the simple instructions to update your OpenSEF installation. 

Please see: http://www.open-sef.org/news/security_p ... ensef.html
Last edited by RobS on Wed Jul 19, 2006 5:08 am, edited 1 time in total.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

User avatar
nathandiehl
Joomla! Champion
Joomla! Champion
Posts: 6044
Joined: Fri Aug 19, 2005 3:03 pm
Location: Indiana, USA
Contact:

Re: Security patch for OpenSEF 2.0.0 RC5

Post by nathandiehl » Mon Jul 17, 2006 7:30 pm

Note: It is not clear in the OpenSEF documentation what to do with the patch.

In case you don't know, you will upload the patched file to:
components/com_sef

and overwrite the old file of the same name.
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick

User avatar
kavaXtreme
Joomla! Intern
Joomla! Intern
Posts: 74
Joined: Tue Dec 13, 2005 9:56 pm
Location: Oregon
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by kavaXtreme » Tue Sep 19, 2006 11:12 pm

What version number will display once the patch has been installed?
- Bible Yellow Pages: http://www.bibleyp.com

aaanativearts
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 203
Joined: Fri Aug 04, 2006 12:38 pm

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by aaanativearts » Fri Sep 22, 2006 4:17 pm

The link for the security patch isn't working.

hitesh
Joomla! Fledgling
Joomla! Fledgling
Posts: 4
Joined: Wed Dec 21, 2005 2:06 pm

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by hitesh » Sat Sep 23, 2006 9:03 pm

OpenSEF have moved to a new site -  try and search from:

http://forum.j-prosolution.com/news-discussion/

Btw, patch is only required if you downloaded RC5 before the patch was released. The current release contains the patch already. Instructions on how to apply the patch available on the forum.

User avatar
nathandiehl
Joomla! Champion
Joomla! Champion
Posts: 6044
Joined: Fri Aug 19, 2005 3:03 pm
Location: Indiana, USA
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by nathandiehl » Mon Sep 25, 2006 8:07 pm

Here is a link to download:
http://projects.j-prosolution.com/proje ... ensef.html

OpenSEF 2.0.0-RC5_SP2 is the newest version (as of 25-Sep-2006)
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick

User avatar
kavaXtreme
Joomla! Intern
Joomla! Intern
Posts: 74
Joined: Tue Dec 13, 2005 9:56 pm
Location: Oregon
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by kavaXtreme » Mon Sep 25, 2006 9:06 pm

Thanks, Nate. I thought that was the case, but since this is a security issue I really wanted to get that extra confirmation.
- Bible Yellow Pages: http://www.bibleyp.com

User avatar
Predator
Joomla! Ace
Joomla! Ace
Posts: 1823
Joined: Wed Aug 17, 2005 10:12 pm
Location: Germany-Bad Abbach
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by Predator » Sun Oct 01, 2006 8:50 pm

aaanativearts wrote: The link for the security patch isn't working.
Version on the forge has this included, also have fixed the link , so the old link with open-sef.org in it works now again.
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D

User avatar
C.Ludwig
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Wed Sep 20, 2006 10:38 am
Location: München
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by C.Ludwig » Fri Jan 05, 2007 10:46 am

Hi,

for those who are still using OpenSEF 2.0.0 RC5 < SP2:
here is the latest link where you can find the patch and information about how to install it:

http://projects.j-prosolution.com/en/pr ... ensef.html
Predator wrote: ... so the old link with open-sef.org in it works now again.
open-sef.org seems no longer to exist!?

Christian

justinw
Joomla! Explorer
Joomla! Explorer
Posts: 268
Joined: Mon Sep 19, 2005 8:49 pm
Location: Empangeni, South Africa
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by justinw » Mon Jan 08, 2007 5:50 pm

When I uploading the patched file I got:
Fatal error: Cannot instantiate non-existent class: josopensefconfig in /usr/www/users/empangzf/dev/components/com_sef/sef.php on line 26

So I just put the old one back until I can get some help on the above error message.

I also see that open-sef.org doesn't load. Any idea why?
Web Energy - Website Designs and Joomla Development in Empangeni, South Africa - http://www.webenergy.co.za

gws
Joomla! Champion
Joomla! Champion
Posts: 5837
Joined: Tue Aug 23, 2005 1:56 pm
Location: South coast, UK
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by gws » Tue Jan 09, 2007 8:18 pm

justinw wrote:
I also see that open-sef.org doesn't load. Any idea why?
Yes, read the 6th post in this thread.
Last edited by gws on Tue Jan 09, 2007 8:21 pm, edited 1 time in total.

mexmet
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sun Feb 04, 2007 11:35 am

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by mexmet » Sun Feb 04, 2007 11:54 am

C.Ludwig wrote: Hi,

for those who are still using OpenSEF 2.0.0 RC5 < SP2:
here is the latest link where you can find the patch and information about how to install it:

http://projects.j-prosolution.com/en/pr ... ensef.html
Predator wrote: ... so the old link with open-sef.org in it works now again.
open-sef.org seems no longer to exist!?

Christian

It does not work again... anybody help...

gws
Joomla! Champion
Joomla! Champion
Posts: 5837
Joined: Tue Aug 23, 2005 1:56 pm
Location: South coast, UK
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by gws » Sun Feb 04, 2007 2:37 pm


mexmet
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sun Feb 04, 2007 11:35 am

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by mexmet » Sun Feb 04, 2007 2:56 pm

RobS wrote: There was a bug reported that looked like a security vulnerability in OpenSEF 2.0.0 RC5.  We later confirmed that it was indeed a security vulnerability and notified the developers who responded immediately and released a patch to fix the problem.  Please download it from the link below and follow the simple instructions to update your OpenSEF installation. 

Please see: http://www.open-sef.org/news/security_p ... ensef.html
this link is not still working ....robs...dear...
I could not find the security patch anywhere...
anybody help
Last edited by mexmet on Mon Feb 05, 2007 9:13 am, edited 1 time in total.

User avatar
Predator
Joomla! Ace
Joomla! Ace
Posts: 1823
Joined: Wed Aug 17, 2005 10:12 pm
Location: Germany-Bad Abbach
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by Predator » Mon Feb 05, 2007 10:24 am

The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D

mexmet
Joomla! Fledgling
Joomla! Fledgling
Posts: 3
Joined: Sun Feb 04, 2007 11:35 am

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by mexmet » Wed Feb 07, 2007 11:39 am

thank you predator, ı have already found it.
ıt was just careless question.

maggiespaws
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Tue May 08, 2007 2:26 pm

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by maggiespaws » Wed May 09, 2007 7:44 am

Hi,

Does this patch fix the reported issue with $mosConfig_absolute_path? Sorry if this is a dumb question but I'm a little confused. A friend of mines site has just been hacked by those muppets from Turkey (Bella and Bodyguard). She built it using Joomla and we think it might have been hacked through OpenSEF. I'm also using this module. We're both on RC5 SP2.

Can anyone help to clarify?

User avatar
Predator
Joomla! Ace
Joomla! Ace
Posts: 1823
Joined: Wed Aug 17, 2005 10:12 pm
Location: Germany-Bad Abbach
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by Predator » Wed May 09, 2007 8:02 am

maggiespaws wrote: Hi,

Does this patch fix the reported issue with $mosConfig_absolute_path? Sorry if this is a dumb question but I'm a little confused. A friend of mines site has just been hacked by those muppets from Turkey (Bella and Bodyguard). She built it using Joomla and we think it might have been hacked through OpenSEF. I'm also using this module. We're both on RC5 SP2.

Can anyone help to clarify?
Yes this fixed it but if you have RC5 SP2 the fix is allready in that version. Patch is only for RC5 and RC5 SP1 Version
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D

maggiespaws
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Tue May 08, 2007 2:26 pm

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by maggiespaws » Wed May 09, 2007 11:04 pm

Predator wrote:
maggiespaws wrote: Hi,

Does this patch fix the reported issue with $mosConfig_absolute_path? Sorry if this is a dumb question but I'm a little confused. A friend of mines site has just been hacked by those muppets from Turkey (Bella and Bodyguard). She built it using Joomla and we think it might have been hacked through OpenSEF. I'm also using this module. We're both on RC5 SP2.

Can anyone help to clarify?
Yes this fixed it but if you have RC5 SP2 the fix is allready in that version. Patch is only for RC5 and RC5 SP1 Version
Predator, thanks for responding to this.

The site was already running RC5 SP2. As a result of the hacking, they changed the configuration.php file and chown'd all the files and directories used by OpenSEF (in both the components dirs) to a system user rather than the ftp user. This has stopped us repairing the damage until the hosting company resolves this.

I'm writing all of this because I am a little concerned that there is still a security hole with this component. As of yet, I have no conclusive proof that OpenSEF provided the route in (I'm awaiting more detailed logs from the hosting company), but the fact that other than configuration.php, the only files affected were those related to OpenSEF seems more than just a coincidence. I'm happy to try and provide you with any log data etc if you would like to look into this yourself.

I have read around on the internet and have come across one user who said that the security risk was only exposed if the component was installed but not in use? Is this true? At the time of the attack, my friend had it installed but not switched on.

I am soon to go live with a new site using OpenSEF (it is a great component btw) but would feel happier knowing I was safe to do so.

Sorry for the long post.

Regards,
Steve

User avatar
Predator
Joomla! Ace
Joomla! Ace
Posts: 1823
Joined: Wed Aug 17, 2005 10:12 pm
Location: Germany-Bad Abbach
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by Predator » Thu May 10, 2007 11:07 am

If OpenSEF is not actived the request will be forwarded to the buildin includes/sef.php so very strange, so more infos via PM if you got the results of the logfiles would be good, also this hacking sounds like RFI (remote file injections) which only is possible if you have Register Globals = On and allow_furl_open = On, maybe you can check this also.
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D

maggiespaws
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Tue May 08, 2007 2:26 pm

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by maggiespaws » Thu May 10, 2007 12:04 pm

No logs back form the hosting company yet, but thanks for your advice. I'll look at those two settings you've mentioned and report back.

Steve

maggiespaws
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Tue May 08, 2007 2:26 pm

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by maggiespaws » Fri May 11, 2007 2:47 pm

Predator wrote: If OpenSEF is not actived the request will be forwarded to the buildin includes/sef.php so very strange, so more infos via PM if you got the results of the logfiles would be good, also this hacking sounds like RFI (remote file injections) which only is possible if you have Register Globals = On and allow_furl_open = On, maybe you can check this also.
Still no logs, but a phpinfo() has showed that allow_url_fopen is set to on (is this what you meant in your post when you typed allow_furl_open ?). Incidentally, register globals was off and RG set to 0 in the configuration.php

I can't overwrite the setting using .htaccess as the php version is 4.4.4 and according to the php site it can only be changed in the main php.ini.

We're emailing the hosts to ask them to change this.

User avatar
sambob
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 120
Joined: Sat Jul 22, 2006 2:19 am
Location: Australia
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by sambob » Mon May 14, 2007 2:57 am

Hi all...

just need a bit of clarification on this patch.

I have just installed OpenSEF 2.0.0-RC5_SP2

Does this (the latest version require the patch?

I am thinking that _SP2 is ok, but unsure.

Thanks in advance
https://reddustsnow.com/

"Don't look at what is and ask 'Why?'; look at what isn't and ask 'Why Not!'.."

User avatar
sambob
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 120
Joined: Sat Jul 22, 2006 2:19 am
Location: Australia
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by sambob » Mon May 14, 2007 5:37 am

I have found the answer.

SP2 (Service Pack 2) includes the security patch.
https://reddustsnow.com/

"Don't look at what is and ask 'Why?'; look at what isn't and ask 'Why Not!'.."

teclive
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 158
Joined: Thu Nov 24, 2005 7:44 pm

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by teclive » Tue Jul 10, 2007 6:03 pm

hey there....i just looked and the joomla i am working on is running
OpenSEF
Version 2.0.0-RC2

where do i get the patch? anybody know? :-*

SEF patch extended version 1.0a
is also installed
Last edited by teclive on Tue Jul 10, 2007 6:12 pm, edited 1 time in total.

User avatar
rliskey
Joomla! Guru
Joomla! Guru
Posts: 828
Joined: Tue Jun 06, 2006 7:41 am
Location: California, Germany, Norway
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by rliskey » Fri Jul 13, 2007 9:00 am

where do i get the patch? anybody know?
Use Google!
http://www.google.com/search?q=opensef

Number 4 in Google listing:
http://sourceforge.net/project/showfile ... _id=171110

teclive
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 158
Joined: Thu Nov 24, 2005 7:44 pm

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by teclive » Fri Jul 13, 2007 11:57 pm

sorry for the delay....found the mod :) thanks :)

Damien
Joomla! Intern
Joomla! Intern
Posts: 71
Joined: Mon Oct 31, 2005 2:50 pm
Contact:

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by Damien » Thu Aug 02, 2007 8:55 am

trying to find the patch, but its a) not on the site or b) site suggested is down

karryberry
I've been banned!
Posts: 21
Joined: Wed Dec 19, 2007 10:36 pm

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by karryberry » Thu Dec 20, 2007 8:23 am

thanks for the valuable information.
smile

teclive
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 158
Joined: Thu Nov 24, 2005 7:44 pm

Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5

Post by teclive » Tue Feb 19, 2008 4:18 am

what is the safest way to update from a Version 2.0.0-RC2 to a Version 2.0.0-RC5 _SP2

just overwrite files or uninstall and reinstall? it is imperative that i dont lose the existing urls, i will be shot on the spot if hat happens ;)

thanks muchly in advance :D


Locked

Return to “3rd Party/Non Joomla! Security Issues”