www.theartofjoomla.com - FREE Joomla! 1.5 MAGAZINE for Developers, Admins, and Users
I hope Andrew has deleted my Hackers Super Admin Account - else this could be classed self promotion ;-) ;-) ;-)
Moderator: General Support Moderators
www.theartofjoomla.com - FREE Joomla! 1.5 MAGAZINE for Developers, Admins, and Users
PhilTaylor-Prazgod wrote: Well I have received two replies from 2 out of the three lead developers of Joomla.
1 reply was two words long.
1 reply stated that it would be several weeks before people would be put on this, and that it requires many changes to files and a lot of testing...
My reply:
I know this thread is being closly monitored by several popular community members - this issue should be addressed NOW and not in weeks!While I appreciate that this touches many files, why does that take weeks when it only took 4 days to patch Joomla 1.5 ?
There are a lot of people (Developers with lots of experience) that are concerned about this, and willing to help, and also to get the other major issues in Joomla 1.0.13 fixed as well - such as the admin task values issue. I don\'t see why this should take weeks.
The actual work I did took a few hours and can be well tested in a day or two. Waiting weeks just to get people on the case is really not appropriate. It has already been 4 weeks since the security vulnerability was reported (on the 4th December)
Kindest regards
Phil.
Sorry - i worded that badly - not meant to imply a negative - the two words were "thanks Phil" :-)Huh umm what were those TWO WORDS?
if one of them were \'OFF\' and the other started with \'F\' dont bother tho!
p.s. Is this more dangerous as a practical sense, than Joomla defaulting RegisterGlobals emulation on for \'compatibility\' (albeit with warnings that are often unread/misunderstood)?
Read the date of my post here : http://joomlacode.org/gf/project/joomla ... em_id=8361that is really unfair insinuation against these hard working guys!
For what it\'s worth, when I get the patch, I\'ll add a footer that says,
This site secured by Zinho security advisories: http://www.hackerscenter.com
and I encourage all others to do the same! thanks again, mate!
vscribe wrote: Thank you - you did the right thing, irrespective of anyone else's actions.
I'll throw my apologies in here too.. I think I'm right there with Cariboo regarding disbelief that something like this could go unanswered or at least unchallenged for three weeks. You absolutely are doing the right thing here!cariboo wrote: I still cant believe it though, even tho its true ....
You said it more eloquently than I did.. and you're absolutely right! Even if there WAS a stable version of Joomla 1.5, it's not like we could just convert tens of thousands of websites to the new version overnight -- or even that we should... The fact that there isn't a stable version, upgrade or retool notwithstanding underscores the importance of patching the current stable version. Call it a patch, call it 1.0.14.. what's in a name anyway.. but the fact we've had this long a discussion about it scares me.. Zinho is right.. this should have been done already!PhilTaylor-Prazgod wrote: remember - there is no such thing as an UPGRADE from Joomla 1.0.x to Joomla 1.5.x - it is a migration and a whole new way of doing things....
Youa re right about Joomla 1.0.13 having issues - all the more reason for a Joomla 1.0.14 !!! I, along with others, feer that Joomla 1.0.x has now been forced to the back burner while Joomla 1.5 development takes place...
:mad: Thanks Masterchief! It\'s all too clear now!masterchief wrote: Ok let\'s get some things clear here.
Phil, thankyou very much for bringing things to my attention but be *very* careful how you decide to put \"spin\" on our private exchanges. As soon as I saw your mail I passed it onto other appropriate people and flagged and gave you a polite reply that it was being actioned and would take a couple of weeks to rise to the surface - why, because at that time we are days away from 1.5 stable and are concentrating on that, and then it generally takes a week to properly prepare, test and deploy a release. Adds up to 2 weeks - savvy? I and Joomla! have always taken security issues very seriously, and always will.
Secondly, thankyou Zinho for your patches. We usually don\'t acknowledge credits that much in the changelog (because then we get \"why is my name not in too\" stuff) but it was appropriate that you should have been credited with the find. It slipped through because it came in at an unusual time and the actual exploit was handled by a team and an event - so what normally would happen didn\'t because we didn\'t handle it in the normal way.
Finally, we are still working on optimising the solutions (in other words, how can we make this as easy as possible for developers to remember what to do) for this for those that are interested so source trees are going to be changing for a while.
I can see the point of anger and desperation here.. being told by three separate sources in the last two days that this CSRF vulnerability wasn't addressed right away because the development staff was more focused on the 'new' Joomla than the 'old'... That is a really bitter pill to swallow and it makes people like me nervous going forward as we have to wonder whether the next big thing will be pushed to the back of the bus when the NEXT next big thing comes along..cariboo wrote: :mad: Thanks Masterchief! It\'s all too clear now!
PhilTaylor-Prazgod wrote: I see that in the last few moments changes have been made in the Joomla 1.0.13 SVN tree
My official reply: Wait for the official release from Joomla Core Developers, while crossing your fingers and following the advice in red bold font in my previous forum replies...jaxstax wrote: Hi Phil.
I have read some other folks have the same question I do...how can we implement the patch that you released...any pointers would be mucho appreciated.
Jason
PhilTaylor-Prazgod wrote: I see that in the last few moments changes have been made in the Joomla 1.0.13 SVN tree
ilox wrote: We cant fix it, we just don't have the knowledge. But we can listen to announcements, we can change our logging on and off practises, we can support the Core IF we were told what was happening. Please stop faffing around any more on this, the compromise is real, the files need to be fixed. We need this vulnerability closed and the development policies reviewed.
I have not tried and I am not 100% sure of it, but this forum is an example of a possible way to mount an attack to your website. It allows remote images to be used. If one wants to specifically hack *your* website this is possible.The compromise is not something that is likely to happen to most sites. As long as the Joomla core team is aware of the problem and is taking it seriously i don't have any issue.
Zinho wrote:I would expect more concern from a sysadmin running big webistes. That's the main reason why the internet is unsafe.The compromise is not something that is likely to happen to most sites. As long as the Joomla core team is aware of the problem and is taking it seriously i don't have any issue.