Joomla! Discussion Forums

I hope Andrew has deleted my Hackers Super Admin Account - else this could be classed self promotion ;-) ;-) ;-)

umm what were those TWO WORDS?





if one of them were \'OFF\' and the other started with \'F\' dont bother tho!


p.s. Is this more dangerous as a practical sense, than Joomla defaulting RegisterGlobals emulation on for \'compatibility\'  (albeit with warnings that are often unread/misunderstood)?

Sorry - i worded that badly - not meant to imply a negative - the two words were "thanks Phil" :-)

Under the right circumstances (1) You visit a site with [BAD] in it, could even be your site, 2) You are logged in to Joomla admin) I can create a super admin and do anything I like from there on....

well!

*Thanks Phil* sure sounds a lot better than the possibility that i was fearing!
(It is always better to be treated dismissively than abusively I always say!)

I wish I could, but I dont even know how to begin using that \'diff\' bit you attached

any hope you could upload it as actual Joomla .php files?

or sell it even via paypal?


I really dont have the stomach or time to go fiddling while this issue burns


I do find it incredulous the claim that the Joomla DEVS knew about this from DECEMBER 4???!!??

that is really unfair insinuation against these hard working guys! I mean, I  ddont know them personally, but based on previous statements I\'ve read (and re-read) I know they wouldnt have allowed this to go un patched!

Dear cariboo,



Read the date of my post here : http://joomlacode.org/gf/project/joomla ... em_id=8361

It is 3rd December, I got them back to me on 4rd and gave them my exploits, and the patching code I gave them applies 99% for 1.0.13 as well as 1.5. Just little changes must be made.

And you know what? I didn't even have received the correct credits for the discovery of the bugs. I had to mail them back in order to receive at least my name in a stupid changelog. And please be kind, because I could post the entire exploit in my advisory since Joomla team had "officially" patched it and I published this vulnerability after 7 days from the rc4 release. 1 month after my discovery.

Also I want to make it very clear: if I didn't publish the advisory all over the web, 99% of people out there using Joomla wouldn't even be aware of this issue.

In my experience, I never found a faster response to one of my bugs like with Joomla. Unfortunately they just forgot to patch all their versions...

I have a bad experience with another commercial company, that made me pay 400$ to have their buggy programs. They didn't even allow me to scan their app on a trial copy.  I won't give them any pre-warning before I will publish my advisory, with full exploit this time.

So you should at least be satisfied of Joomla approach. Because it is the best you can ask at now. Security nowadays comes much after nice ajax menus, web 2.0 stupidity and wysiwyg.


So back to cariboo, before using words like "unfair" or "incredulous", pls use google. Thanks

@ Zinho - don't sweat the noise.

Thank you - you did the right thing, irrespective of anyone else's actions.

Vscribe

wow Zinho you were right!

I still cant believe it though, even tho its true ....


why, do you think, they refuse to publish security patch for 1.13? could it be they want people to switch to J 1.5?

this is not good.

p.s. Good work again Zinho.

I'm not sure why they did so. My only guess is that they under estimated the threat. I'm sure they are also full of tasks for the new release.

But as you can read from my Bug tracker post I mentioned that the bug affects all Joomla versions. So I'm sure there were no misunderstanding on that.

In the end Joomla is the effort of volunteers, noone is charging you money and noone is assuring any quality level.

Although you have to know that I found those bugs because I took the whole Joomla code and audited it because I do want it to run the new version of my website. My portal has been powered my own 11000 lines of *secure* asp code and I would change it only for something better. So you can be pretty sure Joomla is a great piece of big code 

I also found some other less important bugs but still important like the com_poll XSS that can allow anyone allowed to post new polls to deface your site. If you allow untrusted ppl to post new polls you'd better upgrade to last SVN version.

http://joomlacode.org/gf/project/joomla ... em_id=7358


P.S. Thanks Cariboo eheheh, it's my job/fun to find bugs...

Thank you very much Zinho

Here is my simple question: does the CSRF vulnerability applies also to a J!1.0.13 with phil tayolr's patch ? 
In other words, does phil taylor's patch fix the vulnerability issues?
Or only your patch , adapted from 1.5 series,  works for 1.0.13 ?



Best Regards
Have a nice day

I'll throw my apologies in here too.. I think I'm right there with Cariboo regarding disbelief that something like this could go unanswered or at least unchallenged for three weeks.  You absolutely are doing the right thing here!




You said it more eloquently than I did.. and you're absolutely right!  Even if there WAS a stable version of Joomla 1.5, it's not like we could just convert tens of thousands of websites to the new version overnight -- or even that we should...    The fact that there isn't a stable version, upgrade or retool notwithstanding underscores the importance of patching the current stable version.  Call it a patch, call it 1.0.14.. what's in a name anyway.. but the fact we've had this long a discussion about it scares me.. Zinho is right.. this should have been done already!

But anyway, I would like to test your fix.. anything in particular I should be looking for?

I've not had the time to go through all the lines of Phil's patch. But I saw he used the 1.5 method to fix the issue. So I guess he did it correctly.

It corrects the issue for 1.0.13, so once you apply it, 1.0.13 won't suffer from CSRF.

I advise you to take a couple of hours (or even less if you're familiar with your joomla distro) and go trhough the diff file and apply your patch (it's just a matter of copy and paste into the right place, nothing scaring believe me).

No words were said about the patch. So if you want to learn what's behind the scene, read on.

Patching means generating a random token on the page that hosts the critical form (new user creation for example).
This token is usually an md5 hash of a random string.
This token is added to the form in form of a hidden field and simultaneously saved into  session vars of the user.

This token is then checked in the php page that gets the data being passed from the form page.
It basically checks that the token being passed with POST or GET matches the one saved in the seession.
This basically prevents the session hijacking that is achieved through the CSRF attack.
(In case I, as super admin of my site, would be tricked into clicking on a malicious link my token stored in the session var wouldn't match and I wouldn't harm my own website).

Hope this helps understanding what we are talking about...

This forum allows remote images ... I hope it checks for a valid image

Lol.

Good work Zinho, and thanks for taking the time on this.

I see that in the last few moments changes have been made in the Joomla 1.0.13 SVN tree

The changes are not anything like my patch but they use functions josSpoofValue/josSpoofCheck which are equally as valid solutions and reuse code already in Jooma 1.0.13

Once these have been tested I am sure they will be released - its only a shame that it took all this pressure to get this to the right level to get action on joomla 1.0.x code base and get the developers attention from the nice shiny new coin of Joomla 1.5 - 4 days to fix 1.5 - 4 weeks+ to fix Joomla 1.0.x

I strip and change into a full flowing toga and sandals for the following...


All Hail Phil-Taylor!
All Hail zinho!

Let it be said that even if you cant \"Lead a stubborn mule to water and make him drink\", you can \"Lead him to code and make him issue updates!\"


umm... lol?

Ok let's get some things clear here.

Phil, thankyou very much for bringing things to my attention but be *very* careful how you decide to put "spin" on our private exchanges.  As soon as I saw your mail I passed it onto other appropriate people and flagged and gave you a polite reply that it was being actioned and would take a couple of weeks to rise to the surface - why, because at that time we are days away from 1.5 stable and are concentrating on that, and then it generally takes a week to properly prepare, test and deploy a release.  Adds up to 2 weeks - savvy?  I and Joomla! have always taken security issues very seriously, and always will.

Secondly, thankyou Zinho for your patches.  We usually don't acknowledge credits that much in the changelog (because then we get "why is my name not in too" stuff) but it was appropriate that you should have been credited with the find.  It slipped through because it came in at an unusual time and the actual exploit was handled by a team and an event - so what normally would happen didn't because we didn't handle it in the normal way.

Finally, we are still working on optimising the solutions (in other words, how can we make this as easy as possible for developers to remember what to do) for this for those that are interested so source trees are going to be changing for a while.

:mad: Thanks Masterchief! It\'s all too clear now!

[edited personal flame]

4 weeks to put in code that has already been supplied by a security researcher is really not a long time in the grand scheme of things. The important thing is that J 1.5 (THE NEXT GREAT THING) is ALMOST READY -we, all of us must all do our part ( parts?) to make this happen and if it takes being hacked by some Christmas Turkey, I for one am prepared to bite the bullocks!

Altogether, as a whole, etc!

No it's not all Phil's fault - I actually overlooked some things in Chris Shifflet's article that didn't help so I need to take a lot of the blame - but let's just keep things above board.

The next problem we have is to second guess is techniques for token theft ... it just keeps getting better.

I can see the point of anger and desperation here.. being told by three separate sources in the last two days that this CSRF vulnerability wasn't addressed right away because the development staff was more focused on the 'new' Joomla than the 'old'...  That is a really bitter pill to swallow and it makes people like me nervous going forward as we have to wonder whether the next big thing will be pushed to the back of the bus when the NEXT next big thing comes along..

But before emotions get out of hand, the important thing to remember is not what could have been done, but what is being done.  This issue definitely has the attention of the development team now and there appears to be a workable solution in the pipeline.  Let's concentrate on what needs to be done to get this behind us so that everything is back on track again!

Andrew,
I've sent you the solutions for the token theft.

And anyway, token theft is much better than not using a token at all since it would require a very motivated hacker and some further knowlege. At least add the token while the solution I mailed to you are developed.

I don't care about your credits to my work, I got my credits through the advisories and the article I'm writing for hakin9 and other similar press magazines.
I just want to have a piece of stable code to run my website, that's why I'm helping and not blaming you. Even though no one should be blamed for what happened apart who is in the position of releasing patches/new patched versions, that is the Joomla team.
Phil took part of his spare time to produce a temporary quick fix. Let's give him some respect.

As you can read from my previous posts in this thread, I tried to spend some nice words about the great job you do as volunteers, and I'm acting professionally cause I love what you do and the results of what you do.

I'm still available to help more on joomla security and also have in mind some more structural security improvements that would strongly mitigate 3rd party vulnerability impact. If you're interested we can discuss about it.

Hi Phil.

I have read some other folks have the same question I do...how can we implement the patch that you released...any pointers would be mucho appreciated.

Jason

I'm not sure what exactly I am being accused of doing wrong.

some facts - with no hype:

The vulnerability was reported to the core developers on the 3rd or 4th of December.
Within 4 days Joomla 1.5 SVN was patched
A little time later Joomla 1.5 RC4 was released stating this was a high security A5 vulnerability.

Two Core Joomla developers, one himself in this thread, have stated that the reason Joomla 1.0.13 has not been patched with the same vigor is that developers are concentrating on the release of Joomla 1.5 in the next few days - therefore proving that in the eyes of the developers getting a stable release of software that no one is using is more important than fixing software in use by millions of websites. Fact.

Until I personally got on the case, emailing lead developers and making a fuss about this NO ACTION WHATSOEVER had been taken to patch Joomla 1.0.13 SVN at all - FOUR WEEKS AFTER THE REPORT and SEVERAL WEEKS after Joomla 1.5 RC4 categorized it as a [Security High A5] vulnerability.

Andrew has already said that developing, testing and releasing a new version of Joomla 1.0.x would take weeks - so we can expect to wait an even longer time - possibly 5 or 6 weeks after the initial vulnerability report. Within hours of making a fuss about this changes were being made to Joomla 1.0.x SVN tree

I believe a special team was set up to maintain Joomla 1.0.x tree - separate developers from the developers working on Joomla 1.5 - is this not the case now?

If you are angry that I made a fuss then I will not be sorry - it is a fact that nothing has been done to protect the community that Joomla are relying on to make Joomla 1.5 a success

Would it be so difficult to make a core team blog post or joomla.org announcement with some helpful tips (like logging out when finished administrating and not browsing around while logged in) That doesnt take weeks does it.

If anyone should be taking the blame it should be the Joomla Core Developers - for single mindedness - for blinkered support of Joomla 1.5 and pushing to get that released as stable while Joomla 1.0.x suffers, and leaving the community running insecure software, without even so much as a warning blog post.

FOUR WEEKS with no action for Joomla 1.0.x and FOUR DAYs for a solution Joomla 1.5 says it all in my mind,

And I am not in this for the glory as I have been accused of - If I was I would be a hacker.





......and lets not get started on the other issues that have been in Joomla 1.0.13 unpatched since its release - important issues like the Joomla admin task values issues...  Are we to believe these will never be fixed now that Joomla 1.5 will be released? According to some developers only security issues will be fixed in Joomla 1.0.x, which doesn't include bugs does it!

My official reply: Wait for the official release from Joomla Core Developers, while crossing your fingers and following the advice in red bold font in my previous forum replies...

diff files can be applied using the linux command line "patch"
See: http://www.hmug.org/man/1/patch.php for patch documentation

for windows:
http://gnuwin32.sourceforge.net/packages/patch.htm

Phil and Andrew, all I have wanted has been fairly simple, IF 1.0x is compromised, confirm it and tell me what to do about it. As far as us users know, what has been done prior to this thread beginning? Nothing. What has the Core done to the problem since then, nothing much. Where is the Announcement from the Core about this?

It is silliness to suggest that resolving the problem in 1.5 was all that had to be done yet the 1.5 changelog clearly shows that 30 tasks were completed and the problem was signed off. Why was it signed off when nothing had been done to 13? If it was posted as a High Security Problem then it had to be fixed. Just how long were the Core going to leave the vast majority of Joomla sites vulnerable before they got around to doing something?

I have played a little with 1.5. Once it becomes stable I will see what problems there are in transferring my sites over to it. It might be June or even next Christmas before I am going to use 1.5 in a production environment. I just do not give a toss that it was fixed in 4 days for 1.5. That wasn't anywhere near as urgent - after all it was still only a Beta and RC - compared to the huge numbers of vulnerable sites out there.

The policies that led to such an abandonment should never be allowed to continue. Development is of course important, but for the sake of a very small minority of testing sites compared to countless production sites Core chose to fix 1.5 and ignore the rest of us. Why?

Andrew, please don't pick on Phil, he was about the only one that came near the thread that knew the extent of the problem and how it might be resolved and he offered a fix. I have no idea how to apply the fix but I guess I will have to do that because there still isn't any work from Core on what I should do.

Until we saw you Andrew, we were wondering just why the Core had decided to stay quiet because it really looked like we were being deliberately ignored. But that isn't right, is it?

When the core fixed 1.5 and did nothing about 1.x I for one suggested that perhaps that meant that it didn't affect 1.x. My apologies Zinho, I was wrong in my assumption and I freely admit it. What I thought was no reason to worry was actually ignorance of the policy decision agreeing to let us flounder. I must thank you sincerely for taking the time to share your information with the developers, for joining and staying in the thread, for helping Core understand the problem, for providing code to them so they could put the fix in place, and for still hanging in there helping.

Andrew, you and the Core could now do the right thing and take a look at what happened and instead of offering excuses, find out what went wrong and straighten out the policies and decision tree so we don't get left in the lurch again. They could make an announcement and apologise to the rest of us site owners for letting us down and leaving us vulnerable when it is supposedly only 4-8 days to provide a fix and we are still waiting over a month after they were advised.

We cant fix it, we just don't have the knowledge. But we can listen to announcements, we can change our logging on and off practises, we can support the Core IF we were told what was happening. Please stop faffing around any more on this, the compromise is real, the files need to be fixed. We need this vulnerability closed and the development policies reviewed.

Phil made it pretty easy to understand. I appreciate what the Joomla core team has done. The compromise is not something that is likely to happen to most sites. As long as the Joomla core team is aware of the problem and is taking it seriously i don't have any issue. I am hoping that the current stable version of Joomla will become the focus of support rather than a new version that is not suitable for production sites.

As I have said before, I am not a developer. I am a sysadmin and project manager with over a decade experience managing some pretty large websites. The Joomla team has been very upfront about development efforts and the Joomla application itself is very safe. I have been involved with Metadot, Zope, Plone and a few others over the years.

Let these guys do their thing and employ safe admin practices.

Best regards

Jason

I have not tried and I am not 100% sure of it, but this forum is an example of a possible way to mount an attack to your website. It allows remote images to be used. If one wants to specifically hack *your* website this is possible.
Once again no reason to worry here. It was just an example. If I know your habits I can mount an attack to you where you wouldn't expect it.

Maybe you mean it's not likely to have a mass deface. No, that is not easy to achieve since it requires your action.

And btw, Phil ported the patch I gave for 1.5 to 1.0.13. The patch is basically the same.

I would expect more concern from a sysadmin running big webistes. That's the main reason why the internet is unsafe.

I am not saying I am unconcerned. I am saying the Joomla team has been better than most open source cms teams in providing patches and open discussion of the issues. I am sorry if my comments were taken in way as to suggest that I am cavalier about this. Everyone on my team is very concerned about this and are watching this forum for a speedy resolution. We spend a lot of time analyzing security issues where I work.

I asked Phil for some explanation on his patch as I am not a developer and am not sure how to implement what he released.

I appreciate you coming forward and making known this problem.

Best regards

Jason

To the core devs:

Simply this. Now that the genie is out of the bottle, when can we expect a fixed version for 1.x?

thank you

Cutting through the politics - If you are reading this and wondering what you can do to stay safe until the next release then follow these instructions:


  - ALWAYS click LOGOUT in Joomla Admin when you finish
  - NEVER browse other websites while logged in to Joomla Admin
  - If you allow users to upload/modify your site (E.g. Community Builder) then don't browse/or limit your surfing of your own site while logged in to Joomla Admin
  - NEVER click on links to "Upgrade this component" in 3rd Party Components or even the Joomla Core check
  - NEVER browse forums while logged into Joomla Admin

Hi Phil,
Does this fix address any XSS exploit (Like this one: http://forum.joomla.org/index.php/topic,222837.0.html)?

Thanks for the great work, guys.
-Kepper