Joomla! Discussion Forums

I'm less concerned about the discussion, than about getting this patched asap on various sites, running both J! and Mambo..

Me too... I would like to see an official fix for this as soon as possible...
I have a lot of websites I'm very concerned about right now!

But I believe they will fix it soon though

Looks like Stingrey is preparing to release Joomla! 1.0.4 on [21-Nov-2005 10:00 UTC]

A fix has been created and we are releasing a 1.0.4 securtiy release in the next couple off hours.

Great! Thanks guys

we got defaced big time tonight 

patched now.. thanks johan

and thanks all who contributed

um... has Joomla! 1.0.4 been released yet? 

You'll be the first to know if you read the frontpage regularly

I always check the Joomla! site regularly, but from the above posts I thought that a it had been already released.
But i guess not.
I'll be waiting anxiously for the release. 

An official release is not out yet.
But if you install this globals.php on your Joomla or Mambo 4.5.2.3. site your pretty safe for now. Just make sure you save the file as globals.php and not as globals.php.txt.

thanks webguy.
iv put webprotect on my website for now, until an official release comes out.
if it doesnt come out soon, i will use the global.php file you have provided.
thanks again.

Persianari, what is this webprotect thing? I guess I missed that in this thread...

no it wasnt mentioned in this thread.
its a setting in cPanel, which stops access to your site.
in order to enter you need a username and password.
i really didnt have any other choice but to do this until a security fix is released.
i dont want to risk getting hacked/defaced.

you can see what i mean by going to my website.

Okay, I understand. That's .htaccess protection. Thanks for clarifying...

yeh... thats the one.
im not to good with techy stuff.

i know no one can access my site, but at least i know its not going to get hacked.
do you think what i have done is ok... or am i being too protective here?

does the globals.php file you provided, provide 100% security in regards to the security hole discussed in this thread?

Sorry, I can't garantee this, because I didn't write the patch. However I did install it on a few Joomla! and Mambo 4.5.2.3 sites and tested it. The security hole seems closed.

If you're unsure about the solution, I guess the best tjing to do is keep your site(s) closed and await the official patch.

okay.
thanks again. 

There won't ever be something like 100% security! However, I think the globals.php you're talking about is quite secure, none of the attacks I know got through. Overwriting of global variables should be blocked out pretty good.

What is the state here? My servers are under attack...

Just a few thoughts:

1. I am missing a (small) notice on the Joomla! frontpage regarding this security problem and a link to the hot fix provided (Thank you!) here for the people not reading this forum in detail.

2. Maybe I missed it - but is there a mailing list regarding Joomla!-security?

Kind regards

Stephan

The only forum section you can subscribe to to get auto notifications is the Announcements section, which doesn't contain any posts or info about this new and very serious security threat.
I believe there should be a mailing list for such security announcements and that the security team should make it clear to everyone if any problems arise.
It should be shown on the home page when such security issues occurs.
There could be many people out there completely unaware that there is a massive security flaw in Joomla! 1.0.3 and that hackers are currently hacking and defacing many Joomla!/Mambo sites.
Such early and appropriate security notices could help many be better prepared for attacks.
I know that it could also create a massive panic attack from many users but its better to be told then not and have your site hacked/defaced without any knowledge that you site is a potential for such attacks.

I found one problem with the new globals.php (posted here in this forum) that aka forms is not working anymore, mambo and joomla..Have any one a solution for that?

I suspect you're going to come up with a lot of issues like this. I've just been going through my own components, and while Jomres seems ok, an import component for a bike shop I wrote had one small problem that, while easily fixed, made me realise that there are likely to be a LOT of components out there that will need tweaking.

Don't tell that now 

Could you please post some more details: setting of RG_EMULATION in globals.php and setting of register_globals in php.ini? I would expect your configuration to be RG_EMULATION=1 and register_globals=0.

Yes my configuration is:
RG_EMULATION=1 and register_globals=0
and the register_globals in php.ini = off

Official patch has been released. 

http://developer.joomla.org/sf/go/proje ... _1_0.1_0_4

--Slixter

Great, thanks all!
I guess now it's really time to upgrade all my old Mambo installations to Joomla.

Hi guys,

We just released 1.0.4, it contains one critical and 5 smaller security fixes together with about 90 bug fixes. Have fun upgrading

Great news. Thanks everyone.

I don't see why the patch package contains so many files, including image files and template files? I thought the patch package just contained the important files that need to be patched?

Which are the most important files to patch?