upgrade 1.0.12 to 1.0.13 - community builder problem

masteryoda · **Posted:** Sun Jul 22, 2007 2:19 am

Hi,
now the problem is
my users can't login from frontend hompage (both 2 of my sites) (not registered error)
community builder installed..

$:-\$

masteryoda · **Posted:** Sun Jul 22, 2007 2:22 am

Here is what joomlapolis said ??

Quote:

Joomla 1.0.13: DO NOT UPGRADE FOR NOW
Community Builder - Announcements
Written by Beat
Saturday, 21 July 2007
IMPORTANT TEMPORARY NOTICE:

Joomla 1.0.13 Stable has been released in its current SVN state to our surprise.

Joomla 1.0.13 breaks backwards compatibility with itself (you can't downgrade to anything before joomla 1.0.13), and with some extensions like Community Builder and bridges, and is not compatible with CB 1.0.2 or earlier.

Additionally, some vulnerabilities introduced by the RC3 that we reported privately did not get fixed

Our strong advice: do NOT upgrade to Joomla 1.0.13 for now.

CB Team feels sorry to have to make this announcement. I'm personaly part of Joomla Q&T team and CB test-team tests Joomla pre-releases too. Unfortunately fixes for bugs and vulnerabilities identified in 1.0.13 RC3 were not made available to Joomla Q&T team and CB test-team for further testing prior to public release. This issue has just been addressed by CB team to Joomla core team, and we are waiting for a reply.

AmyStephen · **Posted:** Sun Jul 22, 2007 2:42 am

Hi, again!

I am sorry to say that I do not know what Beat is talking about with that announcement.

It is confusing to me to hear Beat say this:

Quote:

Unfortunately fixes for bugs and vulnerabilities identified in 1.0.13 RC3 were not made available to Joomla Q&T team and CB test-team for further testing prior to public release.

Anyone in the entire world can download and test with the SVN results anytime they want. You can see from the version information, below, it appears only minor changes have been made over the past month. The Q&T group certainly could have been working with the release for awhile. I wonder which changes are causing problems with CB?

Quote:

21-Jul-2007 Robin Muilwijk
^ (version.php) preparation for release

18-Jul-2007 Rob Schley
# Fixed admin session problems with immediate logout after login.
# Fixed a few misc. bugs.

11-Jul-2007 Sam Moffatt
^ Removed assumption that a group exists for a user (may not actually be true)

04-Jul-2007 Rob Schley
# Fixed a bug in the administrator login system that prevented users from logging in

02-Jul-2007 Rob Schley
* SECURITY A6 [LOW Level]: Fixed [#5630] HRS attack on variable "url"
* SECURITY A1 [LOW Level]: Fixed [#5654] Multiple fields subjected to cross-site scripting vulnerabilities
* SECURITY A7 [LOW Level]: Fixed possible session fixation vulnerability in administrator application

29-Jun-2007 Louis Landry
^ Hardened password storage mechanism to use a random salt
! Remember Me cookies will be invalid and require a re-login

20-May-2007 Rob Schley
# Fixed key reference lookups to match whole results only
# Fixed two help screen naming issues.
^ Changed RG_EMULATION warning message to refer to Global Configuration Setting

17-May-2007 Rob Schley
^ Moved register globals emulation controls into Global Configuration

15-May-2007 Rob Schley
# Fixed [topic,170296] : Typos in Search Mambot configurations

14-May-2007 Rob Schley
# Fixed [topic,153233] : "Mail to Friend" parameter checks not checking content item setings
# Fixed [topic,126371] : IE7 left align problem
# Fixed [topic,167745] : Added JavaScript alert for empty category title

28-Apr-2007 Rob Schley
^ Changed cookie naming conventions to not break when using HTTPS
# Fixed [topic,156116] : Optimzed queries for menu creation to improve performance.
* SECURITY A4 [ LOW Level ]: XSS issue in com_search and com_content
* SECURITY A4 [ LOW Level ]: XSS vulnerability in mod_login

16-Apr-2007 Enno Klasing
# Re-enabled Itemid behaviour of 1.0.11 (optional, default is behaviour of 1.0.12)

At this point, I think more information is required from Beat. Unless maybe someone else has an idea? I am at a complete and total loss.
Amy

string · **Posted:** Sun Jul 22, 2007 7:44 am

AmyStephen wrote:

Hi, again!

I am sorry to say that I do not know what Beat is talking about with that announcement.

At this point, I think more information is required from Beat. Unless maybe someone else has an idea? I am at a complete and total loss.
Amy

Nope, check this post out. And check out the comments for that article.

http://forum.joomla.org/index.php/topic,193166.0.html

As Beat said, "Joomla 1.0.13 breaks backwards compatibility with itself "

The way passwords are handled has been changed. Why with a 1.0 release I ask?

/cry

RussW · **Posted:** Sun Jul 22, 2007 11:24 am

Guys I just posted in another thread, a combination of options from the Joomlapolis Forums and other discussions;

If you have CB installed or another non-Core login/registraiton module, unfortunaltely this has become a known issue....

You will need to temporarily downgrade from 1.0.13, again, unfortunately, this is not too easy to do.....

DownGrade From 1.0.13 Un-Tested By Me

Quote:

Option 1) Restore the backup you made of course before upgrading, for files and for SQL database.

A little more detailed:

a) Restore your Joomla 1.0.12 files
b) Restore SQL ( default "jos_" )#_users (or at least the password column).

Joomla 1.0.13 auto-upgrades password storage for each user at first login after upgrade.

Alternatively:
Reference Beat @ Joomlapolis, thanks Beat.....

Quote:

Ok, here some help to reset access to your joomla system:

Method 1: Easiest:

Click lost password in front-end, enter your admin username and email (if you remember it) and check your email

Method 2: Well, a little less easier:

a) Go to database admin (e.g. phpMyAdmin), and open database.

b) Find table jos_users

c) Find your admin entry (by search by username).

There you will see a password looking like:

1023456789ABCDEF1023456789ABCDEF:1023456789ABCDEF <<<< Notice the " : "

d) Find an online md5 generator like here:

http://www.iwebtool.com/md5

e) Type-in a temporary password, and write down the md5 hash. or Copy and paste in to a text document.

e.g. md5 Encryption for the word 'example' is: 1a79a4d60de6718e8e5b326e338ae533
(you could use this as temporary, but change it as soon as you can).

f) Edit the entry in SQL, and change password column of that entry to the one above for password 'example'
or to the one you computed, or the old one from backup (notice: no ':' in it...)

Method 3:
a) Alternatively, you could copy the md5 password from another user that you register in frontend
or of which you already know the password.

---------
The Joomlapolis Team are working on a compatible version currently, the upcoming CB 1.1 will be compatible with joomla 1.0.13.

AmyStephen · **Posted:** Sun Jul 22, 2007 4:11 pm

Please see http://forum.joomla.org/index.php/topic ... #msg913850.

Thanks!
Amy

masteryoda · **Posted:** Sun Jul 22, 2007 5:32 pm

this solutioncaused me to have this error after trying to login to frontend

Call to a member function on a non-object in /home/***/public_html/components/com_comprofiler/comprofiler.php on line 1311

AmyStephen · **Posted:** Sun Jul 22, 2007 5:38 pm

Is this your response in the CB forum? Let's see what is said there. You might also want to explain any other changes you made. Since fixing the FTP, for example, did you make any changes to "fix" this problem? CB is your best bet on this - let's see what the response is there.

Edit: In fact, Sam has already responded there.

aravot · **Posted:** Sun Jul 22, 2007 5:57 pm

AmyStephen wrote:

Hi, again!

I am sorry to say that I do not know what Beat is talking about with that announcement.

The fixes that were introduced in RC3, there are not in SVN because it wasn't committed.

masteryoda · **Posted:** Sun Jul 22, 2007 6:07 pm

yes that was my reply amy

the last comprofiler file which pasamio sent was solved my problem

here's the link http://www.joomlapolis.com/component/option,com_joomlaboard/Itemid,38/func,view/id,41380/catid,7/limit,6/limitstart,12/

AmyStephen · **Posted:** Sun Jul 22, 2007 6:38 pm

EXCELLENT! Thank-you Sam and MasterYoda for reporting back this success! 8)

Amy :)

PS - I chuckled at this statement by Sam --> "I threw this up because I got it to work for me with about 5 minutes of work." Geek!

nant · **Posted:** Mon Jul 23, 2007 11:02 am

AmyStephen wrote:

At this point, I think more information is required from Beat. Unless maybe someone else has an idea? I am at a complete and total loss.
Amy

Please PM Beat or myself for additional information.

AmyStephen · **Posted:** Mon Jul 23, 2007 12:31 pm

Nick -

I think Sam developed a solution, yes?

Thanks!
Amy

PS - email me at AmyStephen @ gmail dot com, anytime if you want to talk!

Jenny · **Posted:** Mon Jul 23, 2007 3:29 pm

aravot wrote:

AmyStephen wrote:

Hi, again!

I am sorry to say that I do not know what Beat is talking about with that announcement.

The fixes that were introduced in RC3, there are not in SVN because it wasn't committed.

What do you mean they weren't committed?

The password salt was added over three weeks ago:

Quote:

Revision 7813 - (view) (download) (annotate) - [select for diffs]
Modified Fri Jun 29 06:04:09 2007 UTC (3 weeks, 3 days ago) by louis
File length: 100999 byte(s)
Diff to previous 7443

Hardened password storage to use a random salt.

infograf768 · **Posted:** Mon Jul 23, 2007 3:36 pm

FYI, Sam's file is also available here:
http://forum.joomla.org/index.php/topic,193358.0.html

aravot · **Posted:** Mon Jul 23, 2007 4:13 pm

MMMedia wrote:

What do you mean they weren't committed?

The password salt was added over three weeks ago:

I don't know if you have access to private security forum, if you do than you'll see there are more issues that weren't committed, the password I know it was added.

AmyStephen · **Posted:** Mon Jul 23, 2007 4:21 pm

aravot wrote:

MMMedia wrote:

What do you mean they weren't committed?

The password salt was added over three weeks ago:

I don't know if you have access to private security forum, if you do than you'll see there are more issues that weren't committed, the password I know it was added.

I ignored some of these comments for a two reasons.

#1 - I am here to help people find solutions for their websites.

#2 - No offense, but most of us don't care about the politics inside of your working group teams. I am confident you can all figure this out if you work together!

+++

JM - thanks for the link. Again, for us end users, solutions are what matter.

infograf768 wrote:

FYI, Sam's file is also available here:
http://forum.joomla.org/index.php/topic,193358.0.html

Amy

Jenny · **Posted:** Mon Jul 23, 2007 4:26 pm

Every single release that I know of has had last minute tweaks and changes before they have gone out. If you look at the release dates and the svn commits you can see that this happens.

Also with every release there are going to be issues. Everyone tries to make each release as perfect as possible, but we are talking code and there is no such thing as a code nirvana of perfection.

Look at the whole changes to itemids that has been debated on and on and on. No code is perfect, and you will never make it perfect for all people all the time.

No one is to blame, and why any blame is being laid out at anyone's feet either on this forum or ANY other forum or community (bad form) is something I just don't understand.

Thankfully Sam has done what people should do instead of blame and complain. He came up with a solution.

Thanks Sam, your fix helped me out of a bind. I appreciate it.

shumisha · **Joined:** Sat Aug 20, 2005 3:15 pm **Posts:** 466

Hello all,

I don't want to blame anyone, should it be only because I don't exactly who to blame. I still think this was done too rapidly and lightly, and to the very minmum a very very large warning should have been put everywhere to tell people that this would break any site running some very popular components.

I posted this elsewhere, so it sort of double posting, but I hope some participants to this thread can give some feedback on this. I think two things should be made very rapidly:

1 - issue a warning NOT to upgrade to users of CB, SMF bridges, and probably other bridges (other forums, galleries, flyspray,phplist ?) before updates to said components is available (assuming the commercial ones have not been abandonned recently by their author); I've just seen that Virtuemart shops are all down as well

2 - Provide some Joomla-side way of handling things better : the logical thing to do for me would be to provide a backend switch of some kind to decide which password to use. Remember that is what MYSQL did when they changed password mechanism. Maybe that needs to be V 1.0.14 ?

BTW: I have just seen that Soeren has released a patch, so if your shop is broken, head to virtuemart.net.

Regards to all

RussW · **Posted:** Mon Jul 23, 2007 10:55 pm

OK, can we do as Amy as suggested please, Get back to what this thread and others started as solving the problem and redcuing the risk for others......

Irrespective of the issues these changes have no doubt caused and moving on past the "finger-pointing"......

The QandT Co-Ordinator has been queried on the release schedule and communication, he has repsonded within the QandT Group and has taken our concerns to the Core Team, with Positive Outcomes...

1) The process of release has been reviewed
2) The process break-down has been understood << Most importantly
3) Measures have been/are being put in place to ensure that communication is improved
4) Thanks to Passimo, Amy, RobInk and the CB Team there are several work-arounds and temporary fixes available

We know this will take a little time to settle down again and get back to an even keelp. I for one will assist where ever I can, those that continue to have issues surrounding these changes.

Once we are over this hump I think you will find some of the other enhancements and security resolutions delivered in this release will be of great benefit and continue in the tradition of great Joomla! releases.

Thank you, all, for your time and patience, lets move on and start to take advantage of the newly enhanced and secured 1.0.13 release.

gsbe · **Posted:** Wed Jul 25, 2007 7:20 am

I'd think it wise to create a list of the extensions effected along with links to the location of these fixes. These changes effect SO many Joomla users that are used to upgrading to the latest version because their install tells them to! This announcement is very vague about what extensions are effected.

It is a reasonable expectation when an announcement like this is made that the related project leads provide as much up-to-date information about this as possible to the thousands (hundreds of thousands?) of effected users. I'm trying not to criticize the developers here but to focus on solutions as requested......please consider collecting a list of known effected extensions along with any links to fixes and post as an official sticky FAQ-type forum thread that is linked from the original joomla.org announcement.

infograf768 · **Posted:** Wed Jul 25, 2007 8:06 am

A specific thread has been created.

http://forum.joomla.org/index.php/topic,194406.0.html

Just to list and upgrade, not for support.

Forum rules

upgrade 1.0.12 to 1.0.13 - community builder problem

Quick reply

Who is online