Joomla! Discussion Forums

A while back I added frontend editing capability to mambo (at the time) weblinks

I ported the functionality from the content component
In process I may have patched this hole ...
so my sites are not vulnerable.... I think.... can't be sure

running the exploit seems to fail

I can post my com_weblinks if anyone wants to take a look at it
It is currently for 1.0.7 - i should have one for 1.0.9 on a test site as well

EDIT:
looks like the exploit still works but only for users that are Editors or higher - that's ok though 
the fix is kind of useless to me because of the need to be able to submit from the frontend

Yes, that will still work.
Have a look at the code i posted above. That should keep you safe at least untill there's a patch:
http://forum.joomla.org/index.php/topic ... #msg366017

Rey -

Take care of yourself. Really. You give us SO MUCH for SO LONG. These things happen and are not anyone's fault. You do NOT need to work yourself to death to fix it. You will repair it just like you have any other problem we had. And, there will be another one. It's the world we live in. Nature of the beast.

We appreciate you, Rey.

Amy

Hi,

is this fix work also for Joomla?

reference: http://mamboxchange.com/forum/forum.php?forum_id=7505

open /components/com_weblinks/weblinks.php and add the following two lines
Code:
$row->title = $database->getEscaped($row->title);

$row->catid = $database->getEscaped($row->catid);

Hi Lenamtl,



Yes, it does work for Joomla!.
Line numbers have changed. Insert the code you posted before this fragment (line 307):


However, install the official Joomla! fix as soon as it comes out. There are more issues which will be adressed by J! 1.0.10.

Best,
Enno

looks like it works fine

I think as long as you put it after :


but before:

you'll be ok

it probably wouldn't hurt to have these two lines included in 1.0.10 as well??

They are, but in a more suitable place: in weblinks.class.php.

The method how it is done has only one drawback: weblinks with an apostrophe will be shown e.g. as "Enno\'s Weblink" with an escaped "\'". I would suggest using a local variable for title in weblinks.class.php (the title will be escaped again before storing in the db by $row->store, so no security thread here):



Best,
Enno

ok I see it here:
http://forge.joomla.org/integration/vie ... iew=markup
look for the line:


so if you want to patch your installation
weblinks.class.php around line 85

right before:
is as good a place as any

PS
@friesengeist:
so if I understand correctly,
creating a local variable will prevent the slashes from being added twice
in that case it looks pretty good to do it your way

I have been looking at the changes in 1.0.10SVN

looks like anti spoofing code has been moved out of com_content
and made generally usable by other components

this raises an interesting issue
how do we secure our 3rd party components against these header injection and other spoofing attacks
now that 1.0.10 will include a way to do so.

looks like there are two parts

1) in your mycomponent.html.php file
in ANY functions that SUBMIT FORMS
first add a variable in the beginning of the function  
then add another hidden field to the form: 

2) in your mycomponent.php file
in functions that handle form submissions like SAVE  or SEND EMAIL functions
add this right after global variable definitions

This would make your component backwards compatible with Joomla! versions that don't contain that API.  I know, it would be a good idea to force people to upgrade, but to do that would be like pulling a "Microsoft."

My first post here - would like to say that i love Joomla and really appreciate the hard work that has obviously gone into it...

However i am very security paranoid and am wondering if there is an estimated date for an official patch for this exploit...or when will 1.0.10 be released?

Thankyou 

the Joomla dev team would rather  finish a monolithic update than recode 1 file and release it as a intrem patch....
High level sql injection threat and no mention of it on the NEWS side of the site...

Please tell me how any of this relates to Joomla's core statement

Agree 100%

Have a nice day
Gustavo Raúl Aragón

I personally don't think it is smart to post critical security threats on the news site when an official patch hasn't been released. When 1.0.10 will be released, the news item will follow on the frontpage. Also the people who have subscribed to the announcements forum here wil get an notice as well. This patch is due out soon, Rey will make the announcement when it is out.

Joomla! 1.0.10 will be released within the next 24-48 hours.

It has been sent to testing teams for final approval for release.



Until then the suggested temporary fixes in this thread are all valid.

Also note that although this is a [High Level] threat it works in only certain circumstances and is not a `full` vulnerability.
For a [Critical Level] Threat we would have undergone a much quicker release cycle - however the nature of this threat has afforded us more time to complete 1.0.10 and to test it more thoroughly.

Tonie and Rey -

Thank you for your response. What you are saying makes sense. We are all a bit paranoid and want to protect our Joomla! sites, so, the growing concern was a result of the SVN post, but no word on 'what's next.' However, Tonie, your note very logically explains why. And, Rey, yours is an encouraging response and a perfectly acceptable timeframe.

One word on end-user community comments - it makes me very proud to know that openness is acceptable here in the forums when people feel they must speak. I am also proud of the openness I have seen, here. The posts were polite and encouraging us to evolve to a "better" place. I am most *especially* proud of the rapid, honest and unemotional response of two of our core team members to these concerns.

Thank you for your continued patience with us in the end user community as we sometimes become anxious and speak!

Amy 

Security through obscurity is no security at all. Malevolent internet users and groups may check core software sites for announcements, but in truth they look at other security websites and resources to swap information.  The fact of the matter at hand is Joomla is an opensource project, highly popular and multiple users have contributed to a patch. By not disclosing the security threat the entire community is at risk. It should be the sole discretion of the site administrators to take the approperate actions they deem necessary, along with links to the various suggested user work arounds while the developers work on an official patch

Reason I say such things is for the past week I have stared at the boards off and on, never even noticed the SQL injection threat till last night. When I did, I woke people out of bed at another design firm so they could alert their clients of the threat and the patch.

Digitaldentist i do agree with you that "Security through obscurity is no security at all" and that the general practice regarding security alerts and fixes here at joomla is a little bit different from the norm for an open source project.

In reality the problem is that Joomla! has broken beyond the realm of the geek "open source or nothing" market place and is a mainstream product with mainstream users. As such it is probably correct that a security release/info policy such as the one that is in place right now is correct.

For myself I am subscribed to this entire forum section so that I recieve email notification of any posts and there have been numerous ones on this issue together with fixes and explanations.

(there have also been posts of security issues with 3rd party extensions here that have not been acknowledged)

Thanks very much for your quick attention and both version of the temporary fix websmurf, it worked perfect on my install

Ciao:
Please could you send an email to the sever at Url appear in bottom of securityfocus in your language?
They need know about this problem. And wee need stop this abuse sending mails to hostings.
Thank you!
Best Regards!

I still dont get why you stop using the patch way to patch security holes (like in Mambo) , instead of a totally new realease to fix several errors , its not logic at all if you want to keep joomla secure..

Have a nice day
Gustavo Raúl Aragón

I find it a little puzzling that the joomla team gives more priority on their website to  "International PHP Magazine Features Joomla! 1.5" then a high security security risk that has the potential to have all current joomla sites hacked.

Please,  please,  please.  I hate sifting through subforums  to find verbose answers to security risks.

Please take security seriously.  Here are suggestions,

1.  A dedicated webpage  listing all current security vunerabilities,  and the appropriate fixes.

2.  If risk is high  then instructions on patching users current version should be given,  along with which version the fix has been(will be) incorporated.  never force people to upgrade,  as it leave sites flapping in the breaze as they have the extra task of seeing if the upgrade breakes anything else.  (example -  upgrading from 1.0.7 breaks the mosCE editor,  plus a few other things as well.)

2. Never tell people just to wait until the next version,  again it leaves sites flapping in the breaze, vunerable to hackers.


Being a mainstream product is even more reason to make security issues less obscure,  big companies like Microsoft learnt this the hard way,  Does the Joomla team really need to learn the hard way too ?


In the meantime I thank the Mambo website for alerting me to the security issue (thus prompting me to hunt through this forum) and providing the fix that I can apply to all my existing websites with various versions of joomla in the shortest possible time.

Dev Status is always available here: http://dev.joomla.org/content/blogcategory/21/86/ and by subscribing to the announcement section of these forums you will immediately be notified of any important releases/security fix etc etc.

Subscribe here: http://forum.joomla.org/index.php?actio ... ;board=8.0

BigMudCake < like the name, BTW > -

I have to laugh - because the core team can't win! Some of us gave Mitch a hard time because he did not have his article "International PHP Magazine Features Joomla! 1.5"  published for the community to see. I was happy to see it out on the News site. < But, do you think I emailed him to thank him? Nope. > So, poor guy, got in trouble when it wasn't there, now, because it is. It doesn't pay to be on the core team -- anything, actually, not a dime and no respect!

Also - hopefully, you read this thread because I believe the core team has already responded to each of your points. There may be a difference of opinion on exactly how to handle things, but Tonie and Rey did answer the questions you have asked -- above your post five or six posts.

Tonie responded to why they do not want to highlight security issues.

2. No one is being forced to upgrade -- and there are instructions in this thread -- and the instructions have been "smiled upon" by Rey, who is in charge of maintenance. So, sites should not be flapping in the breeze, as it were!

3. No one has been asked to wait, either, see Rey's response in #44.

As far as "sifting through subforums" - see Tonie's response in #43 where he recommends subscribing to the announcements forum.

None of us like security scares and no one is to blame -- least of all the core developers -- so, let's read what is available and try to keep emotion in check. These guys absolutely are taking security seriously and have since I signed up in November. You might consider how that note sounds to those who have been working hard *for free* *for us* *for awhile!*

Take care, okay?
Amy

BTW - that was another core team member who cares about security! 

I think its because I find it a little frustrating. 

I brought it up once before about lack of information regarding security issues off the main website,
but unfortunately it turned into a joomla zealot driven thread instead of rising above the joomla/mambo
politics.

http://forum.joomla.org/index.php/topic ... #msg219779


I do applaud especially stingrey  who is always works so hard coding AND finds the time to publish security info
and fixes.  I appreciate this more because his attitude about security issues raises above all the politics
and he gives the info we need.

But for the more mainstream user, busy website maintainers,  and new users.  They shouldnt have to try and
track down where the security info is posted,  especially when its also includes all the posts and opinions
of everyone on how to solve it.  It can get very confusing,  and take alot of time.

There is no mention on the main website on even where security info may be found,  or how it is organised.

I am especially worried that if we didnt have Rey,  then we might get no info at all in a timely manner.

Your suggestion was noted then, as it is now.

I can assure you we take Security very seriously. 
We have lost serious levels of sleep simply confirming whether threats are indeed correct and then creating fixes where necessary.
We communicate across boundaries, as in this case with former members of Team Mambo at http://www.mamboguru.com (and thanks for their assistance).




As it happens this is on the todo list, but as always this takes time to do and the priority has been coding, so this project has not been started yet unfortunately.  But rest assured it is something that I have personal interest in seeing created.




* The usual case when a security vulnerability is found - of any nature, is that an analysis is done to secure the codebase from future attacks of similar nature and additional hardening is taken.
* By its nature a dedicated security patch to fix a specific vulnerability would only secure you from that particular vulnerability and would not have the additional security hardening that occurs - as occured in this case, where additional hardening has indeed been introduced.  This hardening then lessens the likelihood of future attacks occurring - premptive defense.
* Releasing dedicated security patches to address High to Critical level threats will probably encourage users to maintain earlier versions of the codebase, meaning that they will not benefit from security to Medium to Low level threats.
* Some fixes are dependent on a large number of fixes over a large number of files, that are dependent on Code introduced in progressive releases of the codebase, so there is no garuantee that a suggested fix will properly protect the earliest versions of the codebase, which may not have the other dependent code.  The only way this can be assured is by using Full Releases.
Cumulative use of Specific security patches may not be as effective as the Full Release.
* Most users do not have the ability, proffiency or confidence to introduce specific security code changes themselves
* If you release Security Patch files with the security changes (not simply posting the fixes for users to code themselves), you would most probably need to release versions for every version of the codebase to cover any differences between them, which would be about as much work for the Team as releasing a Full release.




Our response is predicated by the nature of a security vulnerability found.  For Critical Level threats (our highest rating) we work towards a 24-48 hour release response.
For High Level or lesser bugs a longer period maybe taken dependent on the nature of the threat - as occurred here, where the nature of the threat meant its severity was to a certain extent limited.

Rey

Justy wanted to say that all of your hard work (and long hours) in ensuring that Joomla! 1.0x is as secure as possible and that reposnes to security issues are dealt with in such a timely and efficient manner is appreciated.

I have seen so many projects that just sit back and ignore these issues ......

I also am cognizant that part of the problem is that we havent clearly communicated our Security and Stability principles, guidelines and mandate - this does cause some uncertainty.

So it is also on my todo list to clearly outline on dev.joomla.org the project Joomla! Security and Stability principles.