Joomla! Discussion Forums

Too bad some webmaster, still waiting for this incident to happen. 

Vulnerability reports with 3rd party components are always tricky to deal with because
1. We don't always have good contact information for the developer, even when the projects are hosted on our forge. 
2. Often the vulnerabilities that get discovered are for projects that aren't actively developed anymore (simpeboard and extcalendar are excellent examples of this).
3. It is hard to address the issue from a reactionary position until you have log files of someone who has been hacked which I had a difficult time getting my hands on when this first started.
4. As someone who isn't familiar with the code, it is not always easy to know exactly what is causing the security vulnerability to exist.  Add this to the 1st and 2nd problems and things get very difficult.

As mentioned in some other thread, I have proposed starting a security mailing list specifically for Joomla and I have also proposed an automatic update/warning feature in Joomla backend that is version aware.  The mailing list was kind of deemed unnecessary by others due to the ability to subscribe to the forum announcements thread.  I personally disagree with this but I don't know what else to say.  As for the automatic warning/update features in the backend well, that stuff takes time to build.

Well almost 10,000 Joomla Users were notified thanks to my opt-in mailing list, including over 7000 customers who have purchased Joomla Components from our site.

Phil.

I highly recommended this as well. Hopefully within joomla.

That is good to know Phil and definitely not a small amount of people.  I think it is great that you have access to a tool like that and that you were considerate enough to send a warning about the recent vulnerabilities.  Unfortunately, that is probably still only a small fraction of our users.  

I would really like to see something that would add your email address to the (low traffic) security mailing list during the J! installation process (optional of course).  If they choose not to opt in so be it but I think it would be an effective tool for us and our users to fight back against the crackers.

That's even better.

But I do recommend that optional thing should be easily shown to the administrator so they will not come back to us that we are spamming them since they installed joomla.

i agree that a security mailing list is essential. an email based system is far more appropiate than a web based one for this post of stuff. never understood other peoples objections to this

I agree but I think it is critical that the user understand what the list is before they decide to opt out.  In my opinion it should be a low traffic moderated list to keep away from the burden of keeping up with general discussion mailing lists.  It would be much easier for us to refer discussion on topic X back to a specific thread in the forum.

I confirm the problem with JoomlaBoard 1.1.2
My site has been defaced last sunday and I found it in the logs!

Logs waiting for your email...

EDIT MOD: NOT CONFIRMED

Ouch !!!

yes an announce only list that requires moderation before any mail is sent

A tip for ppl that are running their own servers and/or have good connections with the "hoster"....
http://www.modsecurity.org

and I collect updated rules from
http://www.gotroot.com/tiki-index.php?page=mod_security+rules

But if you install this - please check the output (logg) for the mod... some things blocks things that shouldn't be but after removing those rules 99,999% of all "vulnerability"-scanners gets the extended middle finger (including the Simpleboard & ExtCalendar vulnerability got caught in this "firewall" on my server).

It's not a solution for the actual vulnerability but with it on your server you'll probably sleep better. (I pipe the logentries to my mail and I have between 5 and 150 reports a day - there's a lot of ***h*les out there)

Mea culpa :
I was parsing my logs to check the history of the attack and at the end, I realised something strange :
all entries was refering to 'simpleboard" instead of 'joomlaboard'.

What happened?
When I upgrade from Simpleboard 1.1.0 to Joomlaboard, the old files were not automaticaly delete. I knew it but I kept old version, just in case...
So, even if there was no menu entry refering to Simpleboard, the hacker could access to it. He just supposed if Joomlaboard is installed, there is a chance there was Simpleboard before... and he was right!

Conclusion : This attack DOES NOT concern Joomlaboard but ONLY SimpleBoard

Recommandation : People who upgraded from SimpleBoard to JoomlaBoard should check if they delete SimpleBoard files.

I'm really sorry.

Yeah,  thanks Phil.  I got the email this morning and fortunately my site hasn't been hacked yet.    I have done the "rename" folder thing as suggested. 

Is there any new news on a fix?  I really would like to get my forums back up.

The fix is:

• Uninstall simpleboard
• Install joomlaboard 1.1.2
• When asked for during install, click to have the database updated

Oh yes, dont forget to make a backup of the database & files first. Just in case.

MOST IMPORTANT: DONT KEEP ANY SIMPLEBOARD FOLDERS AND FILES ON THE SERVER!

Done!!!! Thanks !!!

Hello,

I have simpleboard 1.1 and those bots have been trying to deface my site for about 1-2 weeks. Nothing happened yet, but they are really annoying because they try to do this about 50-100 times/minute. I will uninstall simpleboard and install joomlaboard. All posts/confs will be saved?

Just checking to see if I get this right: every single file in those folders +subfolders have to be opened and edited..? (really hoping that I'm wrong on this..!) 

I'm sorry, I'm not a coder, but where should I paste this code in the files?

Thanks much!

dave

You're absolutely correct, sorry. Upgrading to Joomlaboard should be easier in this case.

At the very top , right after

My Joomlaboard already had that code there. I didn't touch it.

My ExtCalendar 2 did not have the code. I added it to each file in both directories.

Thanks much!

dave

Joomlaboard is currently not thought to have any vulnerabilities.  SimpleBoard is the one with the problems.

Anybody that changed from simpleboard to Joomlaboard needs to make sure they have removed all simpleboard files from the site.
Simpleboard can be exploited even if it is unpublished and not showing on the site.

I've installed joomlaboard and was surprised how easy it all went - all of my forums and settings from simpleboard were integrated right away! 
Now I've removed the simpleboard component + modules and tjecked via ftp that every thing has gone...

Still thinking about the calendar thouhg... I've just added the

code to the files in the main folders (.../components/ext_calendar and  .../administrator/somponents/ext_calendar) and not to all files in the subfolders yet... But I suppose I better get started.

Do we know anything about a new release of this calendar? It is in my opinion by far the best calendar components. I've during this process been looking at other alternatives but I just can't seem to find any other calendars that I want... 

There have been hints (one by Elpie and I think I saw another somewhere) about someone picking up where the original developer left off and updating the component to deal with the recent security issues and whatnot but I cannot confirm whether or not this is the case. 

I suggest you do what you can to secure it or maybe disable it for now.  chmod -R 000 components/com_extcalendar/* administrator/components/com_extcalendar/* should be suffecient to disable it temporarily. 

After replacing simpleboard by joomlaboard we still get tons of hack attempts because the simpleboard links are still in the search engines.

To hold those infected machines away from trying as many targets as possible, I have recreated the files /components/com_simpleboard/file_upload.php and image_upload.php as:

sleep(100);
?>

I can confirm that a new release to update ExtCalendar is on its way
Unfortunately, the defined( '_VALID_MOS' ) is NOT enough to protect ExtCalendar. In going through the files we have discovered a number of security issues, including SQL injection. This has led to a considerable amount of recoding to correct the problems.
Due to the number of issues we have found I cannot give you a time for release yet - it will be as soon as we can though.
DO NOT Uninstall the ExtCalendar component unless you have a backup of your data or are willing to lose all your events.
If you want to keep your events I suggest you follow Robs advice and temporarily disable ExtCalendar.

What a topic mess in this thread 

I recently traced my latest hack to secunia.

Who are they? or is this part of the simpleboard program?