[HSC] Multiple CSRF in Joomla all versions - Complete compromise

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
tuxsoul
Joomla! Apprentice
Joomla! Apprentice
Posts: 16
Joined: Mon Jan 09, 2006 11:55 pm
Location: Cuautla, Morelos, México
Contact:

[HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by tuxsoul » Mon Dec 31, 2007 7:11 pm

Hi, checking in the securityfocus, see one bug for joomla, can you see here:
http://www.securityfocus.com/archive/1/ ... 0/threaded

Say the version joomla 1.0.x no have fixed this security bug, somebody know about that ???.
Greetings.
sorry my english is bad  :-[

User avatar
musiczineguy
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 200
Joined: Sat Nov 11, 2006 5:01 am
Location: East Greenbush, NY
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by musiczineguy » Mon Dec 31, 2007 8:24 pm

tuxsoul wrote: Hi, checking in the securityfocus, see one bug for joomla, can you see here:
http://www.securityfocus.com/archive/1/ ... 0/threaded

Say the version joomla 1.0.x no have fixed this security bug, somebody know about that ???.
Greetings.
Curiously enough, there are no other references to CSRF in this forum (by search) and no posts referring to anything like this on the 1.5 security board or here on or around 12/4 when this was supposed to have been reported.  The alert referred to in the link above has spread like wildfire all over the Net, but every one of the versions of the notice I've seen are in forum-like areas of security sites and either refer back to the original post on the reporter's website or contain an exact cut and paste of the original alert. 

So far as I can tell this issue hasn't been corroborated by any 'official' channels. 

Finally, the last line of the original alert is an advertisement for a kit that apparently will protect everyone from everything including the flu..

There are many (most) around here who are more knowledgeable than I about the inner workings of Joomla, but could this be a hoax?  It sure looks like something's fishy to me...

User avatar
ilox
Joomla! Explorer
Joomla! Explorer
Posts: 444
Joined: Thu Aug 25, 2005 3:29 pm
Location: Adelaide, South Australia
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by ilox » Mon Dec 31, 2007 11:58 pm

Well my search of the net turned up this comment on one site:
I my self tried to check it out..worked it out and via XSS vulnerable page was able to add a superadmin Smoothly! Check it out With LiveHTTPHeader Addon in Mozilla/Firefox installed
So I looked further in this forum and found http://www.joomla.org/content/view/4335/116/ which shows the 1.5.0 Changelog:
here are 3 entries that refer to the problem;
10-Dec-2007 Laurens Vandeput ** Bug Squash Event: Brussels
* SECURITY A5 [HIGH] Critical CSRF allow portal compromise - Administrator components. Thanks to Paul Delbar & Jeroen Loose.

09-Dec-2007 Rob Schley ** Bug Squash Event: SF **
* SECURITY A5 [HIGH] [#8361] Critical CSRF allow portal compromise.  Administrator components

09-Dec-2007 Andrew Eddie ** Bug Squash Event from home **
* SECURITY A5 [HIGH] [#8361] Critical CSRF allow portal compromise - admin com_users only
There isn't any doubt that a problem was found and fixed, at least in 1.5 RC4.

http://joomlacode.org/gf/project/joomla ... em_id=8361 will give you the full chronology of the report and conclusion;
Submitted By: Wilco Jansen
Adddate: 2007-12-10 15:32:06
30 tasks have been created, and all have been processed. Closing.
I didn't find any reference to 1.x. I think the claim that it affects every version is a bit wishful, there doesn't seem to be the facts to back that up. If it had been true, and affected versions other than the SVN, then we would surely have been told about it and a patch issued.
Last edited by ilox on Tue Jan 01, 2008 12:51 am, edited 1 time in total.
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life

vscribe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 207
Joined: Thu Jun 01, 2006 3:16 pm
Location: Texas, USA
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by vscribe » Tue Jan 01, 2008 6:08 pm

http://www.google.com/url?sa=t&ct=res&c ... 6hNL2ylUyA

http://www.securitytracker.com/alerts/2 ... 19145.html

http://seclists.org/bugtraq/2007/Dec/0360.html

These pretty much reference the same thing.

IF THIS is true, this should be patched for 1.xx immediately. Simply moving to RC4 is not the best answer as that would take planning.
cmsconnection.com/forum - the multi-cms forum

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Tue Jan 01, 2008 6:16 pm

EDIT: THIS POST HAS BEEN EDITED HIGHLY I wish the linux diff application I use did not have tabs - I sillily read the left window and right window the wrong way round the first time.

All the facts from the following post are publically available by searching through the SVN. I'm not saying anything that even a basic hacker can not work out themselves

I have personally asked 3 core team members to comment in this thread, up to now, not one of them has.


The SVN logs show that to fix this security vulnerability several blocks of code have been added to almost all components bundled with Joomla 1.5 RC3,

These blocks of code relate to the checking of a token that is held/generated by the session object. This token is passed around by forms and checked before operations

The same kind of principle (Embed a known string into a form and check that known string when the form has been submitted) is also used in Joomla 1.0.13 but with different methods and different code. (Its called josSpoofCheck/josSpoofValue in J1.0.13) but is only used in the frontend of Joomla 1.0.13 and only in certain places.

The Joomla 1.5 RC3 principle was stored in the session object, where as the Joomla 1.0.13 principle is not, its regenerated after the form submission and then compared.
Last edited by PhilTaylor-Prazgod on Tue Jan 01, 2008 7:53 pm, edited 1 time in total.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

vscribe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 207
Joined: Thu Jun 01, 2006 3:16 pm
Location: Texas, USA
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by vscribe » Tue Jan 01, 2008 6:19 pm

I'm leaning that way too. Seems odd that every single version would be affected.

Backup and prepare in case I suppose.
cmsconnection.com/forum - the multi-cms forum

Zinho
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Tue Jan 01, 2008 7:24 pm
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by Zinho » Tue Jan 01, 2008 7:36 pm

Hi all,
I'm the one who found and fixed the CSRF bugs into Joomla. Also I've published the advisory, *after* a patch was available.
My name is Armando Romeo and I'm the founder of hackerscenter.com

The original version of the advisory can be found here: http://www.hackerscenter.com/archive/view.asp?id=28138

I'm posting to make some order. even if the advisory was quite clear.

RC4 version is *fixed*. It has been revised to include complete protection against CSRF attacks.
I *strongly* advise to switch to this version.

All the below versions 1.0.x up to 1.5rc3 are vulnerable. At least no one of the Joomla team notified me a patch for this. (I've talked to one of them 1 week ago).


Unfortunately there is no quick fix for this issue. It is basically an attack the Joomla core didn't consider at all so fixing it means adding a lot of code to every form in the joomla backend.

NOTE: I've not released any exploit since a lot of portals still use 1.0.x (of course, since 1.5 is not yet supported by many 3rd party comp and modules). However an experienced hacker can find the CSRF easily and compromise your portal in a devastating manner.


I'm available for further clarifications
Webmaster and Founder of

Hackers Center Security Portal
http://www.hackerscenter.com

vscribe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 207
Joined: Thu Jun 01, 2006 3:16 pm
Location: Texas, USA
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by vscribe » Tue Jan 01, 2008 7:41 pm

Your claim is a large one. I'm not saying that in disagreement, but rather, if it all versions of 1.xx are exploitable, the core needs to know how to duplicate and how to fix 1.012/1.0.13 at a minimum.


can you clarify if there are certain extensions or are you claiming the base code is vulnerable?
cmsconnection.com/forum - the multi-cms forum

Zinho
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Tue Jan 01, 2008 7:24 pm
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by Zinho » Tue Jan 01, 2008 7:54 pm

The core don't know how to replicate it, I just got a PM from one of them asking me this and I was just working to build an exploit for 1.0.13 to demonstrate it.

Once again, it is not a vulnerability they took in count so it is just there since joomla was created. believe it or not. For joomla team excusation, CSRF is a vulnerability not very known. It appeared in the late 2004-5. Anyway, I wouldn't be severe with them. Google and Amazon were found to be vulnerable just last year.
Webmaster and Founder of

Hackers Center Security Portal
http://www.hackerscenter.com

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Tue Jan 01, 2008 8:03 pm

From what I know of CSRF the vulnerability would require me to be logged in to my joomla admin and to then visit a web page that the hacker had set up....  So if I dont visit any hackers websites I should be fine ;-) ;-)

I believe we had this once before in Mambo days....
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

User avatar
musiczineguy
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 200
Joined: Sat Nov 11, 2006 5:01 am
Location: East Greenbush, NY
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by musiczineguy » Tue Jan 01, 2008 8:04 pm

Speaking entirely for myself here but...

Can't we knock off the cloak and dagger stuff, lay what's going on here onto the table and start working toward a fix?

The suggestion that tens of thousands of PRODUCTION web sites go from a stable version of Joomla to a release candidate is ridiculous and not an acceptable answer! If this issue is as catastrophic in the 1.0.x code as is being touted, then it needs to be addressed and taken care of in the 1.0.x code as well as in the RC code.

Where are the forum mods and developers on this??

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Tue Jan 01, 2008 8:09 pm

PhilTaylor-Prazgod wrote: From what I know of CSRF the vulnerability would require me to be logged in to my joomla admin and to then visit a web page that the hacker had set up....  So if I don't visit any hackers websites I should be fine ;-) ;-)

I believe we had this once before in Mambo days....
reading the wiki about it http://en.wikipedia.org/wiki/Cross-site_request_forgery

States clearly my point above and gives tips, including the one Joomla 1.5 rc4 has gone for (adding hidden form checks per token) and gives advice to users - to logout when finished administrating a site.

This probably does effect Joomla 1.0.13 - however you would probably need to have all the following to be compromised:
  • Logged into your Joomla Admin site (or your last session not expired)
  • All cookies still set from Joomla
  • Then visit a hackers website and let him send in the background of the browser (maybe a hidden iframe) instructions to your joomla site
A lot of ifs - and hardly the massive security issue that needs immediate instant glorification - but one that needs education of users and a fix developed quickly.

No cloak and daggers needed :-)
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

Zinho
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Tue Jan 01, 2008 7:24 pm
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by Zinho » Tue Jan 01, 2008 8:12 pm

Eheh, not visiting hacking sites is not a wise idea, you should instead visit them to learn how to better secure your websites, but this is just my opinion.
And no, I can post a remote image, if I am allowed to, on your website. You would load your website and load my remote image, that of course is my exploit url.
Or I can use an XSS to trigger the url on your pages. What if I use tiny url to hide the exploit and have you click it? I can name a lot of other means to have you visit a page of my choice.
You wouldn't have to click anywhere. You wouldn't notice anything.

I'm talking to a core-man of joomla. They should work on fixing 1.0.13 very soon

Ah btw, Wikipedia is knowledge for quick-people. Don't be quick. Read here: http://shiflett.org/articles/cross-site ... -forgeries
Webmaster and Founder of

Hackers Center Security Portal
http://www.hackerscenter.com

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Tue Jan 01, 2008 8:23 pm

Zinho - Thank you for your email, the points in my last forum post are confirmed by the details in your email.

Zinho - Please note I am not a core developer of Joomla - I never have said I was - but I am someone with a lot of experience here in Joomla/Mambo land.

Everyone, calm down!  This is not something that a hacker can write a bot to go off and destroy millions of sites overnight while all your Super Admins are asleep.

Yes this is something that should be added to Joomla 1.0.13 so that everyone is protected in the future, it appears that Joomla 1.5 development has taken the rush off fixing Joomla 1.0.13

Yes - there are many ways of embedding bad code to exploit this

Yes - Joomla 1.0.13 appears to be vulnerable to this (under the specific circumstances I mentioned, E.g. you need to be logged in and then visit a page that has this bad code in it, or click a bad link, or several other ways...)

The number one bit of advice I can give all site admins at the moment is to - LOGOUT OF YOUR JOOMLA ADMIN as soon as you finish using it, and do not surf around the internet while administrating your Joomla site, and if you allow users to modify your site's frontend, be careful not to surf your frontend as well while logged in.

Do not install any 3rd party components/mambots/modules/AND TEMPLATES!!! from untrusted sources

Do not click on any links in 3rd party component (like "click here for updates/upgrades") as this is one quick way for a developer/hacker to embed a link into your admin and create a desire to click it.
Last edited by PhilTaylor-Prazgod on Tue Jan 01, 2008 8:31 pm, edited 1 time in total.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

User avatar
musiczineguy
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 200
Joined: Sat Nov 11, 2006 5:01 am
Location: East Greenbush, NY
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by musiczineguy » Tue Jan 01, 2008 8:32 pm

PhilTaylor-Prazgod wrote:it appears that Joomla 1.5 development has taken the rush off fixing Joomla 1.0.13
Sorry if I gave the impression I was upset.. not the case... but comments like the one above are concerning.. it's scary to think the newer, shinier object might be getting the attention while the tried and true is being kicked to the curb.  I'm not saying that's what is happening, don't get me wrong -- but if it did happen it wouldn't be the first time...
PhilTaylor-Prazgod wrote: and if you allow users to modify your site's frontend, be careful not to surf your frontend as well while logged in.
Would you please clarify this last bit?  I want to make sure I understand what you're saying.

Thanks and you're right.. cooler heads will definitely prevail in this situation!  :)

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Tue Jan 01, 2008 8:41 pm

musiczineguy wrote:
PhilTaylor-Prazgod wrote:it appears that Joomla 1.5 development has taken the rush off fixing Joomla 1.0.13
Sorry if I gave the impression I was upset.. not the case... but comments like the one above are concerning.. it's scary to think the newer, shinier object might be getting the attention while the tried and true is being kicked to the curb.  I'm not saying that's what is happening, don't get me wrong -- but if it did happen it wouldn't be the first time...
http://dev.joomla.org/content/blogcategory/21/86/ wrote:Joomla! 1.0.12 is intended to be the last Stability Release in the 1.0.x series.
It was also said somewhere else, although I cannot find it now, that Joomla 1.0.13 would be the last version of Joomla 1.0.x

There has been no change to the Joomla 1.0.x source tree since August 2007
PhilTaylor-Prazgod wrote: and if you allow users to modify your site's frontend, be careful not to surf your frontend as well while logged in.
Would you please clarify this last bit?  I want to make sure I understand what you're saying.

Thanks and you're right.. cooler heads will definitely prevail in this situation!  :)
If you allow users to change any html of your site (for example to type the ) then in theory a bad user could embed a bad link and when you view that page the hidden [BAD CODE] triggers a series of [THINGS] that does [BAD] things to your site..

[THINGS] in square brackets are an attempt to keep the finer details secret at this time - all these things can be found out with a little research.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

Zinho
Joomla! Apprentice
Joomla! Apprentice
Posts: 23
Joined: Tue Jan 01, 2008 7:24 pm
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by Zinho » Tue Jan 01, 2008 8:48 pm

Zinho - Please note I am not a core developer of Joomla - I never have said I was - but I am someone with a lot of experience here in Joomla/Mambo land.
True true, my mistake sorry.
But I have to add that I reported this issue on 12/4/2007 giving full working exploits. I reported it also on 1.0.13. But it was fixed only in 1.5rc4. Don't ask me why.

I would also advise not to allow user additions on your frontend. Avoid posting urls/images into your comments. Beware of tiny url and similar services.
For the rest, Phil knows what he's talking abt so listen carefully to his advices.
Webmaster and Founder of

Hackers Center Security Portal
http://www.hackerscenter.com

User avatar
musiczineguy
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 200
Joined: Sat Nov 11, 2006 5:01 am
Location: East Greenbush, NY
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by musiczineguy » Tue Jan 01, 2008 9:39 pm

PhilTaylor-Prazgod wrote: It was also said somewhere else, although I cannot find it now, that Joomla 1.0.13 would be the last version of Joomla 1.0.x
Understood, but considering there is no stable release of 1.5, hopefully this type of a situation warrants a security patch at the least.

PhilTaylor-Prazgod wrote: If you allow users to change any html of your site (for example to type the ) then in theory a bad user could embed a bad link and when you view that page the hidden [BAD CODE] triggers a series of [THINGS] that does [BAD] things to your site..

[THINGS] in square brackets are an attempt to keep the finer details secret at this time - all these things can be found out with a little research.
Yes, [THINGS] and [BAD CODE] are perfectly fine for me as I now understand where you're coming from and don't need to know the details, was just looking for direction.  Thanks!

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Tue Jan 01, 2008 11:04 pm

This post contains a working solution

Well it has taken me less than 2 hours to patch Joomla 1.0.13 to make it just as secure as Joomla 1.5 RC4 by backporting some code (and changing it slightly!) and then modifing almost every admin function in Joomla 1.0.13 Admin Console.

Attached is a CSRF.patch patch file that can be used to patch the Joomla 1.0.13 code to provide token checking in admin.

Attached is a CSRF.diff diff file that can be used to see the differences between two folders, one with fixed (patched) files and one with Joomla 1.0.13 latest svn files
/joomla1013FIXED
/joomla1013ORIGINAL

This vulnerability was classified by the Joomla core development team as a "SECURITY A5 [HIGH] Critical CSRF Vulnerability" for Joomla 1.5 and was addressed immediately and a new RC4 was released.

Lets hope that the core team can patch Joomla 1.0.13 soon and release a Joomla 1.0.14 to address this
"SECURITY A5 [HIGH] Critical CSRF Vulnerability" in Joomla 1.0.13
You do not have the required permissions to view the files attached to this post.
Last edited by PhilTaylor-Prazgod on Tue Jan 01, 2008 11:08 pm, edited 1 time in total.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

vscribe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 207
Joined: Thu Jun 01, 2006 3:16 pm
Location: Texas, USA
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by vscribe » Tue Jan 01, 2008 11:08 pm

Phil

Do you think you could provide a 1.0.12 for those folks who can't upgrade (yet) to 1.0.13 due to extension issues?
cmsconnection.com/forum - the multi-cms forum

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Tue Jan 01, 2008 11:10 pm

vscribe wrote: Phil

Do you think you could provide a 1.0.12 for those folks who can't upgrade (yet) to 1.0.13 due to extension issues?
No.

Joomla 1.0.12 has security issues all of its own :-) 
And I never endorse the running of older software :-) :-)
And the wife wants some of my time tonight (Already 11:11PM!)
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

vscribe
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 207
Joined: Thu Jun 01, 2006 3:16 pm
Location: Texas, USA
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by vscribe » Tue Jan 01, 2008 11:12 pm

good luck with that Phil.

\Thanks
cmsconnection.com/forum - the multi-cms forum

User avatar
elkuku
Joomla! Intern
Joomla! Intern
Posts: 97
Joined: Sat May 13, 2006 11:51 am
Location: Atacames
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by elkuku » Tue Jan 01, 2008 11:13 pm

Thanks alot Phil :)

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Tue Jan 01, 2008 11:30 pm

I have sent an open letter to Johan/Andrew/Louis asking for this to be fixed in Joomla 1.0.
Last edited by PhilTaylor-Prazgod on Tue Jan 01, 2008 11:33 pm, edited 1 time in total.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

User avatar
vdrover
Joomla! Guru
Joomla! Guru
Posts: 609
Joined: Fri Mar 03, 2006 3:26 pm
Location: Canuck via MKE
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by vdrover » Wed Jan 02, 2008 3:31 am

musiczineguy wrote: The suggestion that tens of thousands of PRODUCTION web sites go from a stable version of Joomla to a release candidate is ridiculous and not an acceptable answer! If this issue is as catastrophic in the 1.0.x code as is being touted, then it needs to be addressed and taken care of in the 1.0.x code as well as in the RC code.
Having everyone upgrade immediately to 1.0.13/.14 is not much better than upgrading to 1.5 RC4. As has been noted many times on these forums, 1.0.13 has many bugs. Do these bugs outweigh the security enhancements gained in 1.0.13 (which were described as 'low-risk security fixes' in the 1.0.13 release announcement). Seems like we need a little support here for the popular versions preceeding 1.0.13.
Victor Drover
https://watchful.net - Remote backup, update and security monitoring for Joomla.

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Wed Jan 02, 2008 10:00 am

vdrover wrote:
musiczineguy wrote: The suggestion that tens of thousands of PRODUCTION web sites go from a stable version of Joomla to a release candidate is ridiculous and not an acceptable answer! If this issue is as catastrophic in the 1.0.x code as is being touted, then it needs to be addressed and taken care of in the 1.0.x code as well as in the RC code.
Having everyone upgrade immediately to 1.0.13/.14 is not much better than upgrading to 1.5 RC4. As has been noted many times on these forums, 1.0.13 has many bugs. Do these bugs outweigh the security enhancements gained in 1.0.13 (which were described as 'low-risk security fixes' in the 1.0.13 release announcement). Seems like we need a little support here for the popular versions preceeding 1.0.13.
remember - there is no such thing as an UPGRADE from Joomla 1.0.x to Joomla 1.5.x - it is a migration and a whole new way of doing things....

Youa re right about Joomla 1.0.13 having issues - all the more reason for a Joomla 1.0.14 !!! I, along with others, feer that Joomla 1.0.x has now been forced to the back burner while Joomla 1.5 development takes place...
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Wed Jan 02, 2008 11:03 am

Well I have received two replies from 2 out of the three lead developers of Joomla.

1 reply was two words long.

1 reply stated that it would be several weeks before people would be put on this, and that it requires many changes to files and a lot of testing...

My reply:
While I appreciate that this touches many files, why does that take weeks when it only took 4 days to patch Joomla 1.5 ?

There are a lot of people (Developers with lots of experience) that are concerned about this, and willing to help, and also to get the other major issues in Joomla 1.0.13 fixed as well - such as the admin task values issue. I don't see why this should take weeks.

The actual work I did took a few hours and can be well tested in a day or two.  Waiting weeks just to get people on the case is really not appropriate.  It has already been 4 weeks since the security vulnerability was reported (on the 4th December)

Kindest regards
Phil.
I know this thread is being closly monitored by several popular community members - this issue should be addressed NOW and not in weeks!
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

User avatar
Websmurf
Joomla! Hero
Joomla! Hero
Posts: 2230
Joined: Fri Aug 19, 2005 2:23 pm
Location: The Netherlands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by Websmurf » Wed Jan 02, 2008 12:04 pm

PhilTaylor-Prazgod wrote: this issue should be addressed NOW and not in weeks!
I quite agree.
There are quite a few Joomla 1.0 installations out there, and quite a few who not want to migrate to Joomla 1.5
Adam van Dongen - Developer

- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Wed Jan 02, 2008 12:11 pm

I have been chatting to Andrew Eddie about this - I just managed to create a super admin account on his new live site (hehehehe) so I think I managed to get his attention :-)
Last edited by PhilTaylor-Prazgod on Wed Jan 02, 2008 12:26 pm, edited 1 time in total.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2247
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by masterchief » Wed Jan 02, 2008 1:06 pm

The least you could have done was give them the link to send a bit of traffic that way :P  Anyway, yes, it's in the pipe.
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.


Locked

Return to “Security - 1.0.x”