Too bad some webmaster, still waiting for this incident to happen.brian wrote: Maybe so but the previous warning was still ignored.
[UPGRADE AVAIL.] Vulnerability in SIMPLEBOARD
Moderator: General Support Moderators
Forum rules
-
- Joomla! Enthusiast
- Posts: 218
- Joined: Fri Feb 17, 2006 4:30 pm
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
[ http://www.MOSCOM.COM ] WebHosting 24x7 Phone Support.
[ http://www.KING.NET ] My Project ... converting to 1.6
[ http://www.KING.NET ] My Project ... converting to 1.6
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
Vulnerability reports with 3rd party components are always tricky to deal with because
1. We don't always have good contact information for the developer, even when the projects are hosted on our forge.
2. Often the vulnerabilities that get discovered are for projects that aren't actively developed anymore (simpeboard and extcalendar are excellent examples of this).
3. It is hard to address the issue from a reactionary position until you have log files of someone who has been hacked which I had a difficult time getting my hands on when this first started.
4. As someone who isn't familiar with the code, it is not always easy to know exactly what is causing the security vulnerability to exist. Add this to the 1st and 2nd problems and things get very difficult.
As mentioned in some other thread, I have proposed starting a security mailing list specifically for Joomla and I have also proposed an automatic update/warning feature in Joomla backend that is version aware. The mailing list was kind of deemed unnecessary by others due to the ability to subscribe to the forum announcements thread. I personally disagree with this but I don't know what else to say. As for the automatic warning/update features in the backend well, that stuff takes time to build.
1. We don't always have good contact information for the developer, even when the projects are hosted on our forge.
2. Often the vulnerabilities that get discovered are for projects that aren't actively developed anymore (simpeboard and extcalendar are excellent examples of this).
3. It is hard to address the issue from a reactionary position until you have log files of someone who has been hacked which I had a difficult time getting my hands on when this first started.
4. As someone who isn't familiar with the code, it is not always easy to know exactly what is causing the security vulnerability to exist. Add this to the 1st and 2nd problems and things get very difficult.
As mentioned in some other thread, I have proposed starting a security mailing list specifically for Joomla and I have also proposed an automatic update/warning feature in Joomla backend that is version aware. The mailing list was kind of deemed unnecessary by others due to the ability to subscribe to the forum announcements thread. I personally disagree with this but I don't know what else to say. As for the automatic warning/update features in the backend well, that stuff takes time to build.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- PhilTaylor-Prazgod
- Joomla! Ace
- Posts: 1403
- Joined: Sat Aug 20, 2005 12:32 pm
- Location: Jersey, Channel Islands
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
Well almost 10,000 Joomla Users were notified thanks to my opt-in mailing list, including over 7000 customers who have purchased Joomla Components from our site.RobS wrote: As mentioned in some other thread, I have proposed starting a security mailing list specifically for Joomla
Phil.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/
-
- Joomla! Enthusiast
- Posts: 218
- Joined: Fri Feb 17, 2006 4:30 pm
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
I highly recommended this as well. Hopefully within joomla.PhilTaylor-Prazgod wrote:Well almost 10,000 Joomla Users were notified thanks to my opt-in mailing list, including over 7000 customers who have purchased Joomla Components from our site.RobS wrote: As mentioned in some other thread, I have proposed starting a security mailing list specifically for Joomla
Phil.
[ http://www.MOSCOM.COM ] WebHosting 24x7 Phone Support.
[ http://www.KING.NET ] My Project ... converting to 1.6
[ http://www.KING.NET ] My Project ... converting to 1.6
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
That is good to know Phil and definitely not a small amount of people. I think it is great that you have access to a tool like that and that you were considerate enough to send a warning about the recent vulnerabilities. Unfortunately, that is probably still only a small fraction of our users.
I would really like to see something that would add your email address to the (low traffic) security mailing list during the J! installation process (optional of course). If they choose not to opt in so be it but I think it would be an effective tool for us and our users to fight back against the crackers.
I would really like to see something that would add your email address to the (low traffic) security mailing list during the J! installation process (optional of course). If they choose not to opt in so be it but I think it would be an effective tool for us and our users to fight back against the crackers.
Last edited by RobS on Tue Jul 11, 2006 4:52 pm, edited 1 time in total.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Enthusiast
- Posts: 218
- Joined: Fri Feb 17, 2006 4:30 pm
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
That's even better.RobS wrote: That is good to know Phil and definitely not a small amount of people. Unfortunately, that is probably still only a small fraction of our users.
I would really like to see something that would add your email address to the security mailing list during the J! installation process (optional of course). If they choose not to opt in so be it but I think it would be an effective tool for us and our users.
But I do recommend that optional thing should be easily shown to the administrator so they will not come back to us that we are spamming them since they installed joomla.
[ http://www.MOSCOM.COM ] WebHosting 24x7 Phone Support.
[ http://www.KING.NET ] My Project ... converting to 1.6
[ http://www.KING.NET ] My Project ... converting to 1.6
- brian
- Joomla! Master
- Posts: 12787
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
i agree that a security mailing list is essential. an email based system is far more appropiate than a web based one for this post of stuff. never understood other peoples objections to this
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
I agree but I think it is critical that the user understand what the list is before they decide to opt out. In my opinion it should be a low traffic moderated list to keep away from the burden of keeping up with general discussion mailing lists. It would be much easier for us to refer discussion on topic X back to a specific thread in the forum.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- globule
- Joomla! Guru
- Posts: 551
- Joined: Tue Aug 30, 2005 9:11 pm
- Location: Aix-En-Provence, France
- Contact:
Re : WARNING: Vulnerability in SIMPLEBOARD
I confirm the problem with JoomlaBoard 1.1.2
My site has been defaced last sunday and I found it in the logs!
Logs waiting for your email...
EDIT MOD: NOT CONFIRMED
My site has been defaced last sunday and I found it in the logs!
Logs waiting for your email...
EDIT MOD: NOT CONFIRMED
Last edited by infograf768 on Thu Jul 13, 2006 5:28 am, edited 1 time in total.
-
- Joomla! Enthusiast
- Posts: 218
- Joined: Fri Feb 17, 2006 4:30 pm
- Contact:
Re: Re : WARNING: Vulnerability in SIMPLEBOARD
Ouch !!!globule wrote: I confirm the problem with JoomlaBoard 1.1.2
My site has been defaced last sunday and I found it in the logs!
Logs waiting for your email...
[ http://www.MOSCOM.COM ] WebHosting 24x7 Phone Support.
[ http://www.KING.NET ] My Project ... converting to 1.6
[ http://www.KING.NET ] My Project ... converting to 1.6
- brian
- Joomla! Master
- Posts: 12787
- Joined: Fri Aug 12, 2005 7:19 am
- Location: Leeds, UK
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
yes an announce only list that requires moderation before any mail is sent
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/
- shadoe
- Joomla! Intern
- Posts: 65
- Joined: Fri Aug 19, 2005 9:01 am
- Location: Stockholm, Sweden
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
A tip for ppl that are running their own servers and/or have good connections with the "hoster"....
http://www.modsecurity.org
and I collect updated rules from
http://www.gotroot.com/tiki-index.php?p ... rity+rules
But if you install this - please check the output (logg) for the mod... some things blocks things that shouldn't be but after removing those rules 99,999% of all "vulnerability"-scanners gets the extended middle finger (including the Simpleboard & ExtCalendar vulnerability got caught in this "firewall" on my server).
It's not a solution for the actual vulnerability but with it on your server you'll probably sleep better. (I pipe the logentries to my mail and I have between 5 and 150 reports a day - there's a lot of ***h*les out there)
http://www.modsecurity.org
and I collect updated rules from
http://www.gotroot.com/tiki-index.php?p ... rity+rules
But if you install this - please check the output (logg) for the mod... some things blocks things that shouldn't be but after removing those rules 99,999% of all "vulnerability"-scanners gets the extended middle finger (including the Simpleboard & ExtCalendar vulnerability got caught in this "firewall" on my server).
It's not a solution for the actual vulnerability but with it on your server you'll probably sleep better. (I pipe the logentries to my mail and I have between 5 and 150 reports a day - there's a lot of ***h*les out there)
Member of the Swedish Translation Team
- globule
- Joomla! Guru
- Posts: 551
- Joined: Tue Aug 30, 2005 9:11 pm
- Location: Aix-En-Provence, France
- Contact:
Re : WARNING: Vulnerability in SIMPLEBOARD
Mea culpa :
I was parsing my logs to check the history of the attack and at the end, I realised something strange :
all entries was refering to 'simpleboard" instead of 'joomlaboard'.
What happened?
When I upgrade from Simpleboard 1.1.0 to Joomlaboard, the old files were not automaticaly delete. I knew it but I kept old version, just in case...
So, even if there was no menu entry refering to Simpleboard, the hacker could access to it. He just supposed if Joomlaboard is installed, there is a chance there was Simpleboard before... and he was right!
Conclusion : This attack DOES NOT concern Joomlaboard but ONLY SimpleBoard
Recommandation : People who upgraded from SimpleBoard to JoomlaBoard should check if they delete SimpleBoard files.
I'm really sorry.
I was parsing my logs to check the history of the attack and at the end, I realised something strange :
all entries was refering to 'simpleboard" instead of 'joomlaboard'.
What happened?
When I upgrade from Simpleboard 1.1.0 to Joomlaboard, the old files were not automaticaly delete. I knew it but I kept old version, just in case...
So, even if there was no menu entry refering to Simpleboard, the hacker could access to it. He just supposed if Joomlaboard is installed, there is a chance there was Simpleboard before... and he was right!
Conclusion : This attack DOES NOT concern Joomlaboard but ONLY SimpleBoard
Recommandation : People who upgraded from SimpleBoard to JoomlaBoard should check if they delete SimpleBoard files.
I'm really sorry.
-
- Joomla! Fledgling
- Posts: 4
- Joined: Tue Jul 11, 2006 9:32 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
Yeah, thanks Phil. I got the email this morning and fortunately my site hasn't been hacked yet. I have done the "rename" folder thing as suggested.PhilTaylor-Prazgod wrote:Well almost 10,000 Joomla Users were notified thanks to my opt-in mailing list, including over 7000 customers who have purchased Joomla Components from our site.RobS wrote: As mentioned in some other thread, I have proposed starting a security mailing list specifically for Joomla
Phil.
Is there any new news on a fix? I really would like to get my forums back up.
-
- Joomla! Explorer
- Posts: 374
- Joined: Thu Aug 18, 2005 8:54 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
The fix is:P_Funk wrote: Is there any new news on a fix? I really would like to get my forums back up.
- Uninstall simpleboard
- Install joomlaboard 1.1.2
- When asked for during install, click to have the database updated
MOST IMPORTANT: DONT KEEP ANY SIMPLEBOARD FOLDERS AND FILES ON THE SERVER!
Last edited by Anonymous on Tue Jul 11, 2006 10:21 pm, edited 1 time in total.
-
- Joomla! Fledgling
- Posts: 4
- Joined: Tue Jul 11, 2006 9:32 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
Done!!!! Thanks !!!
-
- Joomla! Apprentice
- Posts: 19
- Joined: Fri May 05, 2006 1:01 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
Hello,
I have simpleboard 1.1 and those bots have been trying to deface my site for about 1-2 weeks. Nothing happened yet, but they are really annoying because they try to do this about 50-100 times/minute. I will uninstall simpleboard and install joomlaboard. All posts/confs will be saved?
I have simpleboard 1.1 and those bots have been trying to deface my site for about 1-2 weeks. Nothing happened yet, but they are really annoying because they try to do this about 50-100 times/minute. I will uninstall simpleboard and install joomlaboard. All posts/confs will be saved?
- vokaldesign
- Joomla! Intern
- Posts: 89
- Joined: Thu Sep 01, 2005 2:43 pm
- Location: Næstved
Re: WARNING: Vulnerability in SIMPLEBOARD
Just checking to see if I get this right: every single file in those folders +subfolders have to be opened and edited..? (really hoping that I'm wrong on this..!)RobS wrote:
This code should be in all files installed by com_simpleboard and com_extcalender. Basically, everything in /path/to/Joomla/components/com_extcalender, /path/to/Joomla/administrator/components/com_extcalender, /path/to/Joomla/components/com_simpleboard, and /path/to/Joomla/administrator/components/com_simpleboard
Refer to this link for more information about extCalender: http://forum.joomla.org/index.php/topic,75390.0.htmlCode: Select all
// no direct access defined( '_VALID_MOS' ) or die( 'Restricted access' );
- davemgood
- Joomla! Apprentice
- Posts: 41
- Joined: Wed Dec 28, 2005 11:17 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
I'm sorry, I'm not a coder, but where should I paste this code in the files?
Thanks much!
dave
Thanks much!
dave
- joomlahut
- Joomla! Intern
- Posts: 85
- Joined: Wed Aug 17, 2005 10:11 pm
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
You're absolutely correct, sorry. Upgrading to Joomlaboard should be easier in this case.vokaldesign wrote: Just checking to see if I get this right: every single file in those folders +subfolders have to be opened and edited..? (really hoping that I'm wrong on this..!)
Michael Morris - BuyHTTP Internet Services
www.demoplaza.com : Flash Tutorials For Joomla
www.buyhttp.com : Joomla Hosting Specialists
Free Joomla Professional Installation + Free Joomla Template
www.demoplaza.com : Flash Tutorials For Joomla
www.buyhttp.com : Joomla Hosting Specialists
Free Joomla Professional Installation + Free Joomla Template
- joomlahut
- Joomla! Intern
- Posts: 85
- Joined: Wed Aug 17, 2005 10:11 pm
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
At the very top , right afterdavemgood wrote: I'm sorry, I'm not a coder, but where should I paste this code in the files?
Thanks much!
dave
Code: Select all
<?php
Michael Morris - BuyHTTP Internet Services
www.demoplaza.com : Flash Tutorials For Joomla
www.buyhttp.com : Joomla Hosting Specialists
Free Joomla Professional Installation + Free Joomla Template
www.demoplaza.com : Flash Tutorials For Joomla
www.buyhttp.com : Joomla Hosting Specialists
Free Joomla Professional Installation + Free Joomla Template
- davemgood
- Joomla! Apprentice
- Posts: 41
- Joined: Wed Dec 28, 2005 11:17 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
My Joomlaboard already had that code there. I didn't touch it.
My ExtCalendar 2 did not have the code. I added it to each file in both directories.
Thanks much!
dave
My ExtCalendar 2 did not have the code. I added it to each file in both directories.
Thanks much!
dave
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
Joomlaboard is currently not thought to have any vulnerabilities. SimpleBoard is the one with the problems.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
Anybody that changed from simpleboard to Joomlaboard needs to make sure they have removed all simpleboard files from the site.
Simpleboard can be exploited even if it is unpublished and not showing on the site.
Simpleboard can be exploited even if it is unpublished and not showing on the site.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
- vokaldesign
- Joomla! Intern
- Posts: 89
- Joined: Thu Sep 01, 2005 2:43 pm
- Location: Næstved
Re: WARNING: Vulnerability in SIMPLEBOARD
I've installed joomlaboard and was surprised how easy it all went - all of my forums and settings from simpleboard were integrated right away! :-*
Now I've removed the simpleboard component + modules and tjecked via ftp that every thing has gone...
Still thinking about the calendar thouhg... I've just added the
Do we know anything about a new release of this calendar? It is in my opinion by far the best calendar components. I've during this process been looking at other alternatives but I just can't seem to find any other calendars that I want...
Now I've removed the simpleboard component + modules and tjecked via ftp that every thing has gone...
Still thinking about the calendar thouhg... I've just added the
code to the files in the main folders (.../components/ext_calendar and .../administrator/somponents/ext_calendar) and not to all files in the subfolders yet... But I suppose I better get started.// no direct access
defined( '_VALID_MOS' ) or die( 'Restricted access' );
Do we know anything about a new release of this calendar? It is in my opinion by far the best calendar components. I've during this process been looking at other alternatives but I just can't seem to find any other calendars that I want...
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
There have been hints (one by Elpie and I think I saw another somewhere) about someone picking up where the original developer left off and updating the component to deal with the recent security issues and whatnot but I cannot confirm whether or not this is the case.
I suggest you do what you can to secure it or maybe disable it for now. chmod -R 000 components/com_extcalendar/* administrator/components/com_extcalendar/* should be suffecient to disable it temporarily.
I suggest you do what you can to secure it or maybe disable it for now. chmod -R 000 components/com_extcalendar/* administrator/components/com_extcalendar/* should be suffecient to disable it temporarily.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
-
- Joomla! Explorer
- Posts: 374
- Joined: Thu Aug 18, 2005 8:54 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
After replacing simpleboard by joomlaboard we still get tons of hack attempts because the simpleboard links are still in the search engines.
To hold those infected machines away from trying as many targets as possible, I have recreated the files /components/com_simpleboard/file_upload.php and image_upload.php as:
To hold those infected machines away from trying as many targets as possible, I have recreated the files /components/com_simpleboard/file_upload.php and image_upload.php as:
- Elpie
- Joomla! Guru
- Posts: 903
- Joined: Wed Aug 17, 2005 11:26 pm
- Contact:
Re: WARNING: Vulnerability in SIMPLEBOARD
I can confirm that a new release to update ExtCalendar is on its wayRobS wrote: There have been hints (one by Elpie and I think I saw another somewhere) about someone picking up where the original developer left off and updating the component to deal with the recent security issues and whatnot but I cannot confirm whether or not this is the case.
I suggest you do what you can to secure it or maybe disable it for now. chmod -R 000 components/com_extcalendar/* administrator/components/com_extcalendar/* should be suffecient to disable it temporarily.
Unfortunately, the defined( '_VALID_MOS' ) is NOT enough to protect ExtCalendar. In going through the files we have discovered a number of security issues, including SQL injection. This has led to a considerable amount of recoding to correct the problems.
Due to the number of issues we have found I cannot give you a time for release yet - it will be as soon as we can though.
DO NOT Uninstall the ExtCalendar component unless you have a backup of your data or are willing to lose all your events.
If you want to keep your events I suggest you follow Robs advice and temporarily disable ExtCalendar.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info
Open Source Research & Best Practice: http://osprojects.info
-
- Joomla! Explorer
- Posts: 374
- Joined: Thu Aug 18, 2005 8:54 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
What a topic mess in this thread
-
- Joomla! Apprentice
- Posts: 12
- Joined: Thu Jul 13, 2006 7:39 pm
Re: WARNING: Vulnerability in SIMPLEBOARD
I recently traced my latest hack to secunia.
Who are they? or is this part of the simpleboard program?
Who are they? or is this part of the simpleboard program?