[FIXED in 1.0.10] SQL Injection vulnerability Joomla! 1.0.9 Stable

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by Elpie » Mon Jun 26, 2006 10:28 am

Congrats Rey, on getting the new release out so quickly :)

While I understand the concerns expressed by some who have posted here, I think perhaps we should all remember that ALL open source code is vulnerable. It is vulnerable because it is out there for everyone to see and everyone to play with. Joomla could have dozens of devs  analysing the code for security and it would still never be 100% absolutely secure because there are potentially tens of thousands of script kiddies trying to break it or find some way to make it behave in an unexpected way.  ALL popular open source code is a target for the guys who are out to do mischief (and worse).

To see the level of dedication of the team in keeping the code as secure as possible you only have to go check the reputable advisories - then compare the number and severity to other popular OS scripts.  Not only have there been very few, but the responsiveness with which they have been handled is a real credit to the team and to Rey in particular.  Notice of a potential vulnerability came out on 19th June - a week later this is fixed with a new release out. bigmudcake talks about Microsoft learning the hard way - well, even Microsoft with their legion of full-time paid employees doesn't get security fixes out this quickly!  Well done Team Joomla!
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by stingrey » Mon Jun 26, 2006 1:20 pm

Would like to acknowledge the assistance of Elpie and Counterpoint [of http://www.mamboguru.com fame] for their assistance and keeping us abreast of possible security vulnerabilities in the Joomla!/Mambo sphere.

Also a security change/hardening of mosgetparam introduced in 1.0.10 came from the work of Counterpoint on Mambo, will blog about this shortly as it may affect 3pd extensions.

But thanks to them for their assistance in the true open source spirit.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
infograf768
Joomla! Master
Joomla! Master
Posts: 19133
Joined: Fri Aug 12, 2005 3:47 pm
Location: **Translation Matters**

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by infograf768 » Mon Jun 26, 2006 2:28 pm

Thanks to the good guys!
Jean-Marie Simonet / infograf
---------------------------------
ex-Joomla Translation Coordination Team • ex-Joomla! Production Working Group

Asphyx
Joomla! Hero
Joomla! Hero
Posts: 2454
Joined: Sun Aug 28, 2005 5:03 pm

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by Asphyx » Mon Jun 26, 2006 3:08 pm

I have to laugh - because the core team can't win! Some of us gave Mitch a hard time because he did not have his article "International PHP Magazine Features Joomla! 1.5"  published for the community to see. I was happy to see it out on the News site.
This is why I have always said news for the sake of just having news is not always the smartest thing to do...
Because when there IS something important to say it can easily get lost, ignored or becomes the focus of complaints because between the time something important has been identified (usually here on the forums) and the time a clear and well written press release is made someone always manages to get a dig in!

I agree with the decision not to ANNOUNCE a security flaw until the fix was complete!
No need to alert the users of a flaw that they can't fix. It only serves to create fear and worry until a solution and it informs any script kiddy that hey there is something to hack tonite!

EVERY security system has a flaw... The only reason we have any semblence of security is because those flaws are not widely known. One thing to have a really smart hacker find one but it's another thing to tell the not smart ones how it's done!

As for releasing individual fixes as Mambo does I disagree! That might help the users already running it but those users who are going to make a new install are installing an insecure version unless a full release incorporating the fixes is available!
These users would then have to go hunting for individual fixes after initial install to have a secure install...

It is not something I hope the J! team ever does!
This method is much better because not only does it provide a quick upgrade for current users but at the same time there is a full package release that makes any new users secure as well!

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by friesengeist » Mon Jun 26, 2006 10:41 pm

Congratulations and many thanks to the whole Team - and especially Rey - for this release! That's really great, security holes fixed and also fixed many more issues with 1.0.9 in one week! Your hard work and the time that has gone into this is really very much appreciated!

Now after most arguments on when to publish security related information have be said, I'd like to ask a question on what to publish here on the forums. Apparently there have been quite some people asking on how to secure their installations before the new package was out. As there was only the one know vulnerability (com_weblinks) discussed on the forum, I decided not to talk about the other holes here, in case some crackers or script kiddies are reading these forums as well (which I believe they do). But then, on the other hand, they are also able to see all changes done to SVN, which already might give them some hints on where in the code are some more security issues.
That said, I think it wouldn't be to bad to post such information also on this forum. So for the next security issue (I hope there won't be any :-)), would it be OK to publish this information here? (Of course only on how to fix the hole... I would have done so, but just didn't dare to  :-[)

Best,
Enno
We may not be able to control the wind, but we can always adjust our sails

bigmudcake
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Thu Dec 08, 2005 8:38 am

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by bigmudcake » Mon Jun 26, 2006 11:55 pm

Maybe a suggestion is to have a dedicated Security Team, similar to the Documentation Team,  so the burden of security releases and tracking of issues doesnt keep falling with Rey. 

The the security Team can have a "closed" forum to discuss unpublised security issues,  and a webpage that summerizes all published security issues and their suggested fixes.  The Team needs to also understand that there are alot of modified joomla sites out there who cant simply upgrade,  plus the risk of breaking 3rd party software in the course of upgrading. 

Maybe The Security Team can focus on 2 areas; longer term future hardening of the code and exploit testing, and short term patches to thawt publicised attacks.
Last edited by bigmudcake on Tue Jun 27, 2006 12:01 am, edited 1 time in total.

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13272
Joined: Fri Aug 12, 2005 12:38 am
Location: Australia
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by brad » Mon Jun 26, 2006 11:59 pm

I mean't your suggestion to add security information to the frontpage has been noted.

There is a 'Security' team, their forum is here: http://forum.joomla.org/index.php/board,179.0.html If you would like to help, please let us know, and before you ask, yes, they do have a private 'closed' forum that they use.

In case you missed the reasons behind Rey's (and his team's) efforts: WE TAKE SECURITY VERY SERIOUSLY

bigmudcake
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Thu Dec 08, 2005 8:38 am

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by bigmudcake » Tue Jun 27, 2006 12:07 am

Maybe I was a little harsh,  so I removed my comment further up,  I want to try and keep discussion constructive.

I looked at the forum mentioned at http://forum.joomla.org/index.php/board ... html,&nbsp; It seems more related to bug tracking, Quality and Testing,  then security.

Asphyx
Joomla! Hero
Joomla! Hero
Posts: 2454
Joined: Sun Aug 28, 2005 5:03 pm

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by Asphyx » Tue Jun 27, 2006 1:05 am

Brad - Just a question....
It may already be in place...Is there an email account to send security alerts to the security team?
Something like [email protected] so that anyone finding an exploit can notify the security team without also giving a public announcement of how to exploit it? LOL


I know people want fast action on security issues but I would point out that it has been about a day (maybe two) since this was identified as a security threat to Joomla and the teams already have a fix out...
You don't get much better than that on the ACTION front if you ask me...

I mean any quicker would mean the patch was out before the hole was found! LOL


And anyone who wants to help in regards to security the best way anyone can help is (if you have the skills) to hack your own site (or a test site even) and try to identify these holes BEFORE some malicious grunt finds them and ruins a site!

There are many tools out there that people can use. I won't name them here (if anyone from the security team wants to know, PM me but I will only tell actual members of the security team and I will check before I reply!!!!!)

but if the script kiddies can find them so can you!

Bottomline is you really have to be dilligent about your security, even one hole (Dangling 777 for instance) makes all the security patches in the world useless!all it takes is one babd PHP script to be written to a folder and it can be executed giving access to the hacker!

And while I'm all for doing anything to make Rey's life 10 times easier I think the team has done a bang up job under rushed circumstances to get us this patch as quick as they could!
Maybe if we could find these holes for them before the script kiddies got their hands on the exploits they wouldn't have to stay up until 4am scrambling to get a desperate fix in...

User avatar
Mr Nick
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Fri Oct 14, 2005 10:18 am
Location: Dedham Vale, UK
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by Mr Nick » Wed Jun 28, 2006 8:55 am

For what it's worth I think that everyone (and especially Rey) has done a stunning job in getting this new version out in such a short time.  :)

I used to run a support team investigating and fixing important customer bugs in software amounting to a couple of million lines of code. It's not easy. Having a litigious customer breathing down your neck or thousands of users in the case of Joomla! doesn't make it any easier. It is also frighteningly easy to fix one problem and introduce another.

I don't know to what extent third party add-ons are tested for compatibility with new versions but this must make things much more difficult for Rey and the others.

Something that i have been wondering about for a while is this: What happens with components which are derived from core components? Are they fixed at the same time? Do the developers get notified of changes to the core components? Are they left with vulnerabilities until the developers get round to fixing them?

I imagine that the core developers probably review each others code formally or informally but I am guessing that third party components are not code reviewed at all. Is that what happens? (or rather doesn't)

A final point because Joomla! is open source it probably does make easier for the malicious to find exploits. But there are many more eyes to find them from our side too (that is the Joomla! developers and users).  If Joomla! were to be closed it would be harder but not impossible for the malicious to find exploits. Consider Microsoft and Windows. Windows is a closed development system but those motivated to find exploits still manage to do it with monotonous regularity.

Thanks again for the new version.  ;D

Nick

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by stingrey » Wed Jun 28, 2006 2:08 pm

bigmudcake wrote: Maybe a suggestion is to have a dedicated Security Team, similar to the Documentation Team,  so the burden of security releases and tracking of issues doesnt keep falling with Rey. 
Security falls within the mandate of the Stability Team.  All releases within the Stability mandate fall under the heading of Stability Releases which are general bug fixes of issues in the Stable codebase or the heading of Security Releases which are made in deirect response to discovered Security vulnerabilities.



While the idea of a dedicated Security Team is essentially sound, more teams means requires more manpower and more management overhead. 
While it may seem ludicrous to propose that an Open Source project may have manpower issues, one must remember involvement in an OS project at any level requires a large degree of time and committment of individuals - something that comes from peoples free time.  Also there is the matter whether people have the expertise and knowledge to be appropriate - especially in regard to deep knowledge of the Joomla! codebase.  Lastly related to this issue of whether the individual(s) truly believe in the concept of Open Source.



To a certain extent the duties/requirements of General Bug Fixing and Security Fixing are essentially the same, so a dedicated Security team  may be slightly redundent.  Also we have a separate Quality & Testing Working Group who aids the work of the Stability & Development groups by testing the codebase.


bigmudcake wrote: The the security Team can have a "closed" forum to discuss unpublised security issues, 
We already have private areas for such discussions and sometimes, security threats reported in these forums are moved to this private area.


bigmudcake wrote: a webpage that summerizes all published security issues and their suggested fixes. 
As I have discussed previously, this is something that is on my personal todo list.


bigmudcake wrote: The Team needs to also understand that there are alot of modified joomla sites out there who cant simply upgrade, plus the risk of breaking 3rd party software in the course of upgrading. 
While I understand and appreciate the problems, I outline my response to this here:
http://forum.joomla.org/index.php/topic ... #msg373406

Also basically a separate Security only patch would basically represent a new trunk of the codebase that we would also need to cater for.
Also a site running a lesser version with all Security patches only, will not necessarily be as secure as the latest Full Release.

Saying this idea (security only patch) is something we will examine and consider to determine if it is workable within the resources that we have available. 

Please remember, that there is no abundance of sound and good ideas, unfrotunately we are faced with very scarce and limited resources that due to practical considerations reduce what we are able to achieve
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by stingrey » Wed Jun 28, 2006 2:15 pm

Asphyx wrote: It may already be in place...Is there an email account to send security alerts to the security team?
Something like [email protected] so that anyone finding an exploit can notify the security team without also giving a public announcement of how to exploit it?
Actually this email address is in fact active and is our dedicated security email address and something that we monitor closely.
However, to a certain extent we limit its visibility as we do not want people to use it as a general support address.  It is usually given out if a person demonstrates a likelihood of having demonstrated a security vulnerability.


Asphyx wrote: And anyone who wants to help in regards to security the best way anyone can help is (if you have the skills) to hack your own site (or a test site even) and try to identify these holes BEFORE some malicious grunt finds them and ruins a site!
...
Maybe if we could find these holes for them before the script kiddies got their hands on the exploits they wouldn't have to stay up until 4am scrambling to get a desperate fix in...
Any White Hat assistance is always fully appreciated and in fact there are already several community members who have aided in finding security vulnerabilities before anyone else and reporting them to the team for addressing.  And for this we thank them for their invaluable assistance they have provided and urge them and others to continue this kind of extremely invaluable assistance
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by stingrey » Wed Jun 28, 2006 2:26 pm

Mr Nick wrote: I don't know to what extent third party add-ons are tested for compatibility with new versions but this must make things much more difficult for Rey and the others.
The Joomla! core team does not specifically test compatability with extensions.  We rely very much on developers keep track of stability work done and reporting these too us.  Also some extension developers have worked very closly with us to address possible comaptability issues.  These kind of linkages are invaluable to us, as there is no way we can test all extensions and do not have the knowledge of extensions as their own developers/testers do.  One example of the strong deveopmental relationship with a 3rd party extension is the Community Builder project.  The CB development team are also invovled in Joomla! working groups and are some of the most active testers of the stability work done.  They have also made there own testing group for testing of Beta releases of the Stability codebase.
And we welcome and encourage any and all extension developers to engage in these kind of inter-relationships with Prject Joomla! they can only benefit both parties and the users they serve - our door is always open.


Mr Nick wrote: Something that i have been wondering about for a while is this: What happens with components which are derived from core components? Are they fixed at the same time? Do the developers get notified of changes to the core components?
This is something only Extension developers can comment on, however, we would hope that they track developments within the Stability codebase closely.  Do we (Project Joomla!) contact them directly, the answer is no, it is simply too difficult to monitor all the extension developers that now exist, such a push communication relationship would strain the resources Project Joomla! has available, the only way it can work is via a pull communication relationship with extension developers monitoring developments themselves and giving Project Joomla! direct feedback.


Mr Nick wrote: I imagine that the core developers probably review each others code formally or informally
Yes this occurs, but obviously it could be far better and hopefulyl new intiatives can be put in place to address code quality far better.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by stingrey » Wed Jun 28, 2006 2:30 pm

friesengeist wrote: I'd like to ask a question on what to publish here on the forums.
...
That said, I think it wouldn't be to bad to post such information also on this forum. So for the next security issue (I hope there won't be any :-)), would it be OK to publish this information here? (Of course only on how to fix the hole... I would have done so, but just didn't dare to  :-[)
This is the dedicated Secuirty Forum, so this is the most appropriate place to post security concerns.
We are happy to post vulnerability fixes - though it would not be in the best interest to post full information on how to exploit a vulnerability.

If in doubt I would post the information in these forums, and if the matter is to sensitive for publc consumption, then it will simply be moved into secure/private areas of the forum.

From our point of view we would rather have the information so we can examine and where necessary address them.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by friesengeist » Wed Jun 28, 2006 6:59 pm

stingrey wrote: We are happy to post vulnerability fixes - though it would not be in the best interest to post full information on how to exploit a vulnerability.
Thanks for the clarification. Of course I'm only talking about fixes! ;)
stingrey wrote: From our point of view we would rather have the information so we can examine and where necessary address them.
Not a problem at all. Maybe I didn't point out clear enough that I was talking about holes that already have been fixed in SVN, so it's only things you know about ;)

Thanks again for the info!
Best,
Enno
We may not be able to control the wind, but we can always adjust our sails

User avatar
ericmay
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Wed May 24, 2006 4:46 pm
Location: Boulder, Colorado
Contact:

Re: [FIXED in 1.0.10] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by ericmay » Wed Jun 28, 2006 10:53 pm

First of all THANK YOU for getting the security update out so Fast!
Greatly Appreciated!!! :D

One Serious Concern- Don't you think posting exactly which files are vulnerable and to what type of attack on the front page is a HUGE Security Problem for anyone who doesn't drop by here daily? 

I mean seriously, it looks like you just gave every hacker in the universe the Keys to every Mambo and Joomla site and server who didn't get the message and upgrade immediately.  You had me at MUST UPGRADE...  I Freaked when I saw the "where to go and how to exploit it" section.

Please take this post as it is intended as a security concern being raised and I'm paranoid as I've already lost one server this year to hackers. But, that's another story...

Thanks again for Taking care of the security fixes that fast! 
Eric
Imagination is more important than knowledge.

AmyStephen

Re: [FIXED in 1.0.10] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by AmyStephen » Wed Jun 28, 2006 11:16 pm

ericmay wrote: One Serious Concern- Don't you think posting exactly which files are vulnerable and to what type of attack on the front page is a HUGE Security Problem for anyone who doesn't drop by here daily? 
Eric - you do understand vulnerabilities and specifics are listed on Secunia, and other security monitoring websites? Amy

User avatar
ericmay
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Wed May 24, 2006 4:46 pm
Location: Boulder, Colorado
Contact:

Re: [FIXED in 1.0.10] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by ericmay » Wed Jun 28, 2006 11:52 pm

Hi Amy,
Thanks for the link. Yes I am aware that there are many places on line to learn about security vulnerabilities.

My main concern is for the Joomla community at large, particularly everyone who doesn't work on websites daily. Many Joomla users may not come here until they decide they want to upgrade something on their site.  Meanwhile, there's directions on where to exploit their "old" site on the front page of Joomla.

The point I was trying to make is that we edit that type of detailed info out of the forums. Why would we want it on the front page?

Thanks for your feedback,
Eric
Last edited by ericmay on Wed Jun 28, 2006 11:54 pm, edited 1 time in total.
Imagination is more important than knowledge.

AmyStephen

Re: [FIXED in 1.0.10] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by AmyStephen » Thu Jun 29, 2006 12:14 am

I hear you, Eric. My only point is that the sites that the "bad guys" visit is most likely the other one -- and, if you checked the links on that page -- the guns are there and loaded. Don't know the answer -- and your post was really nicely worded -- I appreciate that. Cheers! Amy

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [FIXED in 1.0.10] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by Elpie » Thu Jun 29, 2006 1:37 am

ericmay wrote: My main concern is for the Joomla community at large, particularly everyone who doesn't work on websites daily. Many Joomla users may not come here until they decide they want to upgrade something on their site.  Meanwhile, there's directions on where to exploit their "old" site on the front page of Joomla.
Hi Eric,
This kind of information falls into the "damned if you do, damned if you don't" category. Once vulnerabilities are known they are posted all over the Net and its usually not hard to find the code used to exploit them. Everyone running a site *should* be aware of this and its up to each person to ensure they keep up with any security alerts. People do not need to visit this site - all they need to do is subscribe to security alerts so they get notification as soon as fixes are released.

The information on the frontpage of Joomla is there to alert users to the need to upgrade. There is nothing there that isn't already in a large number of places on the Net. First, SANS, Secunia, Netcraft and probably a whole heap more security sites have published the vulnerabilities, as have hacker sites. The vulnerabilities are mentioned in blogs and in online media sites. If a Joomla user stumbles across any of these then comes here and doesnt see the information, we get two things happening - loads of questions in the forums, and others who just assume that if Joomla hasnt mentioned it then the threat can't be real/significant/whatever.

The Joomla team asks everyone to subscribe to the email notifications. It's up to the users to do this.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [FIXED in 1.0.10] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by stingrey » Thu Jun 29, 2006 7:08 am

ericmay wrote: My main concern is for the Joomla community at large, particularly everyone who doesn't work on websites daily. Many Joomla users may not come here until they decide they want to upgrade something on their site.  Meanwhile, there's directions on where to exploit their "old" site on the front page of Joomla.

The point I was trying to make is that we edit that type of detailed info out of the forums. Why would we want it on the front page?
Yes we understand the concerns, but we feel there is a greater duty to inform the community that vulnerabilities exist and that they need to upgrade to teh latest versions for their safety.

It should be noted that nowhere on the forums or on any of the official sites is the exact method and mechanics of how to exploit a vulnerability discussed.  The news item about 1.0.10 and its changelog only describes generally that an exploit/vulnerability exists.  Even in this thread, there is no direct mention of the attack delivery method. 

However, the method/mechanism of attack is explained in full detail in various online security sites.



Unfortunately we see no other alternative method of informing our community of users that they should upgrade to the latest versions, apart from making it very clear on the frontpage of the official site.  Even if one took a more discreet method of simply emailling all registered users on this forum, I would garuantee that there are blackhat individuals who are members of this forum.

And as pointed out there is more detailled information about exploits all over the web.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

Asphyx
Joomla! Hero
Joomla! Hero
Posts: 2454
Joined: Sun Aug 28, 2005 5:03 pm

Re: [FIXED in 1.0.10] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by Asphyx » Thu Jun 29, 2006 1:17 pm

My main concern is for the Joomla community at large, particularly everyone who doesn't work on websites daily. Many Joomla users may not come here until they decide they want to upgrade something on their site.
For this reason everyone is urged to subscribe to the security announcement threads so that they will at least get an email when something comes up.


I don't think there is a problem announcing a security threat...Where the danger is, is in posting the actual means of attack publicly.
Simply saying there is a vulnerability in fileA is not really helpful to a hacker because he also needs to know WHAT the vulnerability is and how it is attacked!

your never going to stop the really smart hackers...They can easily download a PHP coded Release and scan it for known exploits in PHP or engineer new exploits because they know what they are doing...

The real problem is once a tool is created by these REAL HACKERS that allows unskilled hackers (or script kiddies) to make attacks without really knowing the first thing about how it is done!

This most recent vulnerability was found almost a year ago...
It's taken this long for it to get widely used which means some posting of the exploit or a script made to take advantage of it has finally reached the script kiddies!

Notifying the public about a vulnerability is not dangerous. Telling the public how it is done is!
Saying there is a vulnerability should be enough to inform users to make a current backup of their system and save it locally...
then they are safe until a patch is released because they at least can get back to unhacked status!

User avatar
ericmay
Joomla! Apprentice
Joomla! Apprentice
Posts: 44
Joined: Wed May 24, 2006 4:46 pm
Location: Boulder, Colorado
Contact:

Re: [FIXED in 1.0.10] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by ericmay » Thu Jun 29, 2006 5:18 pm

Hello Everyone,
thanks for all the responses. Points All very well taken! 
It was the script kiddies I had in mind when I made my first post. But I guess your right; "damned if you do damned if you don't." I certainly found it motivating... I migrated seven sites to Joomla on Tuesday. 
As my security guy always likes to point out "the Only way to completely secure a site is to unplug the server."

Once again, a big thanks to team Joomla for the best CMS on the planet! 8)
Eric
Imagination is more important than knowledge.

Asphyx
Joomla! Hero
Joomla! Hero
Posts: 2454
Joined: Sun Aug 28, 2005 5:03 pm

Re: [FIXED in 1.0.10] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by Asphyx » Thu Jun 29, 2006 8:08 pm

LOL Actually Eric...unplugging the Cat5 cable and the keyboard works just as well as shutting it off! LOL

User avatar
Mr Nick
Joomla! Apprentice
Joomla! Apprentice
Posts: 33
Joined: Fri Oct 14, 2005 10:18 am
Location: Dedham Vale, UK
Contact:

Re: [FIXED in 1.0.10] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by Mr Nick » Thu Jun 29, 2006 8:57 pm

unplugging the Cat5 cable and the keyboard works just as well as shutting it off!
Actually that is not enough. It has to be off at the mains and unplugged unless it is in a shielded room like the spooks use.  ;)

Nick
Last edited by Mr Nick on Thu Jun 29, 2006 9:00 pm, edited 1 time in total.

ddmobley
Joomla! Intern
Joomla! Intern
Posts: 90
Joined: Thu Jun 15, 2006 2:18 am

Re: [CONFIRMED] Is Joomla secure against that?

Post by ddmobley » Mon Jul 17, 2006 3:47 am

friesengeist wrote:The method how it is done has only one drawback: weblinks with an apostrophe will be shown e.g. as "Enno\'s Weblink" with an escaped "\'".
I'm on .10, and the apostrophe error is still there.  It shows up in the display when web links are listed, as well as showing up in the admin side in three places: The list of weblinks, in the editor for the weblink and in that screen's ordering lists.  You can remove the escape characters by using "stripslashes( )".

In /components/com_weblinks/weblinks.html.php, find "$row->title" and replace it with "stripslashes($row->title)" - 1 time.

In /components/com_search/search.html.php, find "$row->title" and replace it with "stripslashes($row->title)" - 1 time.

In /administrator/components/com_weblinks/admin.weblinks.html.php, find "$row->title" and replace it with "stripslashes($row->title)" - 3 times.

In /administrator/components/com_weblinks/admin.weblinks.html.php, "$lists['ordering']" and replace it with "stripslashes($lists['ordering'])" - 1 time.
Last edited by ddmobley on Mon Jul 17, 2006 5:03 am, edited 1 time in total.

gdwoods
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Mon Dec 26, 2005 11:59 pm

Re: [CONFIRMED] Is Joomla secure against that?

Post by gdwoods » Wed Jul 26, 2006 10:00 pm

ddmobley wrote:
friesengeist wrote:The method how it is done has only one drawback: weblinks with an apostrophe will be shown e.g. as "Enno\'s Weblink" with an escaped "\'".
I'm on .10, and the apostrophe error is still there.  It shows up in the display when web links are listed, as well as showing up in the admin side in three places: The list of weblinks, in the editor for the weblink and in that screen's ordering lists.  You can remove the escape characters by using "stripslashes( )".

In /components/com_weblinks/weblinks.html.php, find "$row->title" and replace it with "stripslashes($row->title)" - 1 time.

In /components/com_search/search.html.php, find "$row->title" and replace it with "stripslashes($row->title)" - 1 time.

In /administrator/components/com_weblinks/admin.weblinks.html.php, find "$row->title" and replace it with "stripslashes($row->title)" - 3 times.

In /administrator/components/com_weblinks/admin.weblinks.html.php, "$lists['ordering']" and replace it with "stripslashes($lists['ordering'])" - 1 time.
Tried this fix but no joy, I still get the escaped apostrophe

1.0.10 Stable , CB 1.0, Joomlaboard 1.1.2 Stable

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: [CONFIRMED] Is Joomla secure against that?

Post by friesengeist » Thu Jul 27, 2006 5:23 pm

gdwoods wrote: Tried this fix but no joy, I still get the escaped apostrophe
Which one? The fix from the last post, or the one from post #36? #36 should work. You need to save the weblinks that have backslashes again though, without the backslashes...
We may not be able to control the wind, but we can always adjust our sails

gdwoods
Joomla! Apprentice
Joomla! Apprentice
Posts: 19
Joined: Mon Dec 26, 2005 11:59 pm

Re: [CONFIRMED] Is Joomla secure against that?

Post by gdwoods » Thu Jul 27, 2006 5:29 pm

friesengeist wrote:
gdwoods wrote: Tried this fix but no joy, I still get the escaped apostrophe
Which one? The fix from the last post, or the one from post #36? #36 should work. You need to save the weblinks that have backslashes again though, without the backslashes...
No, I didn't try #36 yet. Can you clarify where in weblinks.class.php this code should go? Thanks!

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: [CONFIRMED] Is Joomla secure against that?

Post by friesengeist » Thu Jul 27, 2006 6:21 pm

gdwoods wrote: No, I didn't try #36 yet. Can you clarify where in weblinks.class.php this code should go? Thanks!
Sure, here you are:

Old:

Code: Select all

// SQL injection protection
$this->catid = intval($this->catid);
$this->title = $this->_db->getEscaped( $this->title );

/** check for existing name */
$query = "SELECT id"
. "\n FROM #__weblinks "
. "\n WHERE title = '$this->title'"
. "\n AND catid = $this->catid"
;
$this->_db->setQuery( $query );
New:

Code: Select all

// SQL injection protection
$this->catid = intval($this->catid);
$title = $this->_db->getEscaped( $this->title );

/** check for existing name */
$query = "SELECT id"
. "\n FROM #__weblinks "
. "\n WHERE title = '$title'"
. "\n AND catid = $this->catid"
;
$this->_db->setQuery( $query );
Hope this helps ;)
We may not be able to control the wind, but we can always adjust our sails


Locked

Return to “Security - 1.0.x”