[HSC] Multiple CSRF in Joomla all versions - Complete compromise

[invisible_ch]

Hi,

Well, I published it *after* the patch for 1.5 was released, that is after actions was taken...

Yes, I think that's very gentle from your part, but what's about all the 1.0.x-installations (and I think this are "some" more). I think everyone knows, that the Dev-Team does hard work and I thank them for this.

In the meantime I hope Phil Taylor was right when he wrote

I'm sure that the Joomla Core Dev team will make another release of Joomla 1.0.x soon!

So long, Dany

[Rooney]

You're a bit out of time with your post...

Well, I was following the posts here quite closely. So far there are big discussions in the (German) Joomla world. And, because other systems are affected too, other professionals are aware of the problems too. But now, at least in Germany, it has reached another level because this magazine is well known and even non-IT publications are now writing about it referring to this article. Customers will read it!

It would be easy for me to say to my customers: Yes, I know, I am aware of it. Other systems have the same problem. I already updated the website system with an official security fix. Don't worry!

All I wanted to say with my post was: I cannot do this because even after more then four weeks there is only a fix for a release candidate but not for the stable version...

It's all about priorities!

Rooney

[PhilTaylor-Prazgod]

It's all about priorities!

I have to agree with you - and my frustration about this has already been made clear in this thread - however what is done is done, Andrew has already made the changes to the SVN ready for Joomla 1.0.14 - along with other small fixes.

If you really are in a rush to update sites then you can use the SVN version of Joomla 1.0.x - there should not be much difference between that and Joomla 1.0.14 once it is released (And of course only if you have made no modifications to core Joomla files!)

[Zinho]

Well I agree with you. Priorities means that such a security bug must be handled much before errors into showing pop up or incompatibilities with browsers used by 0.01% of the internet population.

Having said that I want to remind you that Joomla is a free project. You don't pay for it. And In my opinion (but I don't have any position in Joomla hierarchy) people can't complain too much. They must know the risks to run a AS-IS software. I would add that if you don't want to handle such problems and wait weeks, a better solution is to write your own CMS, as I did long time ago and never had any security issue. And patching it meant minutes or at worst hours. It wasn't rendered on browsers used by 0.01% of internet population but it is still bug free.


Joomla is a wonderful example of great stuff for free. The security level is high. The usability is super. Much better than any other paid CMS that I had the luck (sorrow) to try.

The handling of this issue was a disaster in my opinion. For communication ( completely absent: until I published the advisory noone knew abt this and Joomla team never worried to warn anyone about it) and speed of solution.
But they are volunteers, or at least so they claim, so I wouldn't be too severe with them.

Btw, can you tell me which magazine is going to talk about this issue?

[Rooney]

I love Joomla!!! I really do. I am using it (and Mambo in the earlier days) for more then 4 years now. And I am supporting Joomla commercially in many ways (e.g. paid template or component development).

I just think there could be a little bit more marketing (or better: open market communication) and it seems that sometimes priorities a set differently as I would set them. And I think that open communication is crucial for an Open Source project.

One example: Not everybody is reading the boards. Many users do not even speak English. There is still no official news on Joomla's frontpage  or in the developers blog. I am not complaining here, I just think that it would be good to communicate this issue openly. But I guess many thinks have been said in the past about that and other topics in the past.

Btw, can you tell me which magazine is going to talk about this issue?

Anyway, there has been a post on the c't magazines homepage http://www.heise.de, and often popular pages like Spiegel Online (http://www.spiegel.de) follow a little bit later referring to c't. Spiegel has a special "Netzwelt" section for web news. FAZ has the same (http://www.faz.de).

Rooney

[masterchief]

More information about priorities, and "which" version will be released first will be available soon.

[mhwatson]

Hi,

This is all rather unsettling. Surely priority would be given to the 1.0.* users, since they represent the largest number of live installations, rather than those running RC versions, which presumably (and according to advice given on this site i.e. 'not for production sites') wouldn't be live sites anyway?

Martin.

[avalon]

Good news, 1.0.14 is very close.  Details of the release candidate 1.0.14RC1 can be found here.

[masterchief]

That's right.  Main article is here:
http://www.joomla.org/content/view/4446/1/

With over 2 million sites out there we want to make sure this release doesn't make matters worse.  Anyone help with testing of this RC would be appreciated (report issues on the bug tracker please, not here).

Please note that the main aim of this release is to address known security issues.  We will be trying to devote additional resources for a 1.0.15 to fix other bugs and general annoyances over the next few months.  Don't have any timing on that - it just depends on how it fits into everything else that's going on.

[Siddan]

Great news about the patch.
I have read the whole thread and got my first attention to this issue from a newsletter from Joomlashowroom. They mailed this out on January 4th.

Anyways there is just one question I have not been able to find and answer to.
When logged in as a general admin, not super admin,  then no one can create a new super admin user, right?

Just like on Windows. I have an administrator account and user accounts, I do not logon to my administrator just to surf around.
In Joomla, after I am done with all basic stuff, as in installing components and adjusted the global settings, I log out and login as a normal admin, who just have enough rights to adjust the components.

So I wonder if this helps ni any way?

Also a suggestion, if it hasn´t already been mentioned ¿ :
Since I do not believe admin users are created on the fly. I would like the idea to have any admin, who is able to create a new admin user, to have a new custom password to be entered whenever a new admin is created. By custom password I mean a new password that has once been created for doing such a task like this.

If I understand this correctly... no other can delete, add or edit unless a new admin has been created from outside hack?

[Zinho]

anyone can add/edit/delete anything without issuing the super administrator hack.The thing about super administrator addition was just the best example but not the only possible attack through csrf

[Siddan]

ok gotcha

[evaluation]

I download and install. Exist a way to test if the patch work ?

[szenenight]

is there a time, when 1.0.14 is goning stable ?

[masterchief]

I've some J1.0 time down in my diary for tomorrow (all things going well) so I'll let you know how close we are after that.