DocMAN 1.3.0 RC2

[PhilTaylor-Prazgod]

DocMAN 1.3.0 RC2
http://cve.mitre.org/cgi-bin/cvename.cg ... -2007-0380

[Jinx]

Thanks, we are working on a 1.4 beta which is expected to be release at the beginning of september. I have forwared this to the current maintainer of DOCman to make sure it is fixed for the new release.

[infograf768]

@PhilTaylor

DocMAN 1.3.0 RC2
http://cve.mitre.org/cgi-bin/cvename.cg ... -2007-0380

I received your mail.
I sort of understand you know how to protect Docman users at reading it.
Could you provide the patch?

[PhilTaylor-Prazgod]

I have no solution - I cant even find the problem after a quick glance.  I am chatting to Beat about this - whatever the vulnerability, its not an obvious one.

Beat has identified some problem areas to look into following this, but cannot replicate any injections yet.

I have contacted the original reporter (the "hacker") and hope to get more technical details.

[Jinx]

Phil,

I'm seriously dissapointed by the way you have handled this issue. You have spread ungrounded fear amongst many DOCman users abusing your company and personal communication channels. What makes it even worse is that you now openly admit you didn't do any due diligence on the security issue reported, you didn't check it nor did you email the current DOCman maintainer or myself about it before taking any other steps. It really makes me wonder about your intentions ?

For the record, DOCMan is one of the most secure components available for Joomla! and Mambo. DOCman is around since the very early days has always been very popular and we have never encountered any major security issues. Those we found where addressed as soon as possible.

This is pretty amazing seen the fact that DOCman has always been a voluntary project worked on by a number of different people over the past 5 years. It has a great community that relies on it and helps to move it forward. It has offcourse it's weaknesses and it's strength, security being definitely a strength.

One good piece of advice Phil, you are free to take it or leave it, next time instead of spreading fear try to do things the Joomla! way. Send the maintainer of the extension a personal email about the security issue.  Maybe even try to verify the actual issue that is being reported. Creating a quick patch to solve it once found shouldn't be that hard for a seasoned 'joomla security expert' like yourselves no ? I'm sure the maintainer of the extension will appreciate it and so will all Joomla! users.

Open source development and "Jumla" development is about contributing, think about it !

Sincerely,

Johan Janssens
DOCman project manager

[PhilTaylor-Prazgod]

Johan

I choose to take my advice from people I respect, unfortunately you are not one of those.

Phil

[mediamagnate]

Johan

I choose to take my advice from people I respect, unfortunately you are not one of those.

Phil

Phil, I think you could do well to take some of Johan's advice.  Were you not the person who told the world that Joomla! was not going to be GPL — then the blog amazingly disappeared?  You have a history of rather humiliating faux pas — generally opening your mouth before engaging your brain.

Please try to think before you post in future.  You're the one this reflects badly upon.  Common courtesy is a two way street.

[PhilTaylor-Prazgod]

Stand for something or fall for everything

[mcsmom]

Wait, you sent that email because of a report of an unconfirmed problem reported in Persian (I guess really Farsi) by one "hacker" that was made in January?

Do you read Farsi?

[mjaz]

Just wanted to confirm that I fixed a couple of *minor* vulnerabilities about two months ago. These fixes will be included in the upcoming v1.4beta2 release.
I have yet to read any report of a site being hacked through DOCman. If anyone does know of issues in the current code, please:
- send me everything you know, so I can fix it.
- do not make the details public, so no sites are compromised.
thanks

[72dpi]

I Respect you Johan

I suggest a full dump of this thread, as I have seen a major turn in Edits to the content.
Less "personal" feelings, more "facts" needed.

Keep up the great work all, remember, Joomla is a community, and you all make a difference.

BTW, I almost crapped myself, as we have 2000 Docs in Docman, in 100 categories, on a site with 2500 pages.

So yeah, I panicked. Not a good feeling 

[Jinx]

I Respect you Johan

Thanks, but this is not about personal respect. It's about community ethics and acting in the best interest of the project that allows one to make his living. Scarring people for no reason is simple stupid.

I suggest a full dump of this thread, as I have seen a major turn in Edits to the content.
Less "personal" feelings, more "facts" needed.

I don't see a reason for that, we are an open and transparent community and I nothing to hide. The facts are there I'm simply pointing them out. Phil has abused his company channels to spread in-correct or at least not-verified security related information to third parties. We have very clear guidelines in the project and Q&T working group how to handle such reports. Information about them should only be made public  after it has been verified and the maintainer of the project has been contacted. Phil has done neither, in DOCman's case, if it hadn't been for community members I wouldn't even have noticed this post on the Joomla! forums. Being a former core team member and long standing third party developer Phil knows these guidelines yet he chooses to ignore them. I can only guess his reasons for such actions.

I believe that we (Mjaz, the current docman lead developer and myself) have the right to defend ourselves against mis-information and fear that is being spread. A simple public apology would be a good first step, but I don't expect this to happen seen Phil his earlier replies.

BTW, I almost crapped myself, as we have 2000 Docs in Docman, in 100 categories, on a site with 2500 pages.
So yeah, I panicked. Not a good feeling 

Exactly my point !

[Jinx]

Added :  25-08-2007 : information on the security issue posted

We have done research on the DOCman issues posted in the last two days and believe that this security issue is related or the same to an issue that was repoted a couple of months ago and was fixed back then. The original report also dates back to january 2007 which supports this theory. This issue was not deemed of high priority to release an immediat patch for DOCman 1.3 back and we have choosen to make it available in the new 1.4 version.

A full security sweep of the upcoming DOCman 1.4 beta has already been performend and so far no issues have been found. We are currently fixing legacy support for Joomla! 1.5 and once this is done and tested a public beta release will be made. People that already want to test a private build can contact us (mjaz or myself) through PM.

We would like to thank our DOCman community for their continuous support and feedback. We will continue to try and make DOCman the best free software document manager for Joomla!.

Thanks,

Johan and Matthias

Note : link to original report added.

[infograf768]

Global Mod cap:
-----------------------------------------------------------------
This thread has gone far away from forum rules and will now be locked.

May I remember to all that

Keep all commentary civil, and be courteous at all times. Constructive criticism is welcome, but insults directed towards other users or the site admins will not be tolerated. Coarse/insulting language will not be tolerated.

That being said,

Joomla user's cap
-----------------------
I, personally, look forward to Phil's e-mail to all the people who received the first one, stating what was wrong or not verified in it.

Thanks for your understanding.