Joomla! Forum - community, help and support

There was a bug reported that looked like a security vulnerability in OpenSEF 2.0.0 RC5.  We later confirmed that it was indeed a security vulnerability and notified the developers who responded immediately and released a patch to fix the problem.  Please download it from the link below and follow the simple instructions to update your OpenSEF installation. 

Please see: http://www.open-sef.org/news/security_p ... ensef.html

Note: It is not clear in the OpenSEF documentation what to do with the patch.

In case you don't know, you will upload the patched file to:
components/com_sef

and overwrite the old file of the same name.

What version number will display once the patch has been installed?

The link for the security patch isn't working.

OpenSEF have moved to a new site -  try and search from:

http://forum.j-prosolution.com/news-discussion/

Btw, patch is only required if you downloaded RC5 before the patch was released. The current release contains the patch already. Instructions on how to apply the patch available on the forum.

Here is a link to download:
http://projects.j-prosolution.com/proje ... ensef.html

OpenSEF 2.0.0-RC5_SP2 is the newest version (as of 25-Sep-2006)

Thanks, Nate. I thought that was the case, but since this is a security issue I really wanted to get that extra confirmation.

aaanativearts wrote: The link for the security patch isn't working.

Version on the forge has this included, also have fixed the link , so the old link with open-sef.org in it works now again.

Hi,

for those who are still using OpenSEF 2.0.0 RC5 < SP2:
here is the latest link where you can find the patch and information about how to install it:

http://projects.j-prosolution.com/en/pr ... ensef.html

Predator wrote: ... so the old link with open-sef.org in it works now again.

open-sef.org seems no longer to exist!?

Christian

When I uploading the patched file I got:
Fatal error: Cannot instantiate non-existent class: josopensefconfig in /usr/www/users/empangzf/dev/components/com_sef/sef.php on line 26

So I just put the old one back until I can get some help on the above error message.

I also see that open-sef.org doesn't load. Any idea why?

justinw wrote:
I also see that open-sef.org doesn't load. Any idea why?

Yes, read the 6th post in this thread.

C.Ludwig wrote: Hi,

for those who are still using OpenSEF 2.0.0 RC5 < SP2:
here is the latest link where you can find the patch and information about how to install it:

http://projects.j-prosolution.com/en/pr ... ensef.html

Predator wrote: ... so the old link with open-sef.org in it works now again.

open-sef.org seems no longer to exist!?

Christian

It does not work again... anybody help...

Try http://projects.j-prosolution.com/proje ... ensef.html

RobS wrote: There was a bug reported that looked like a security vulnerability in OpenSEF 2.0.0 RC5.  We later confirmed that it was indeed a security vulnerability and notified the developers who responded immediately and released a patch to fix the problem.  Please download it from the link below and follow the simple instructions to update your OpenSEF installation. 

Please see: http://www.open-sef.org/news/security_p ... ensef.html

this link is not still working ....robs...dear...
I could not find the security patch anywhere...
anybody help

Patch available here:

http://www.j-prosolution.com/dmdocument ... 072006.zip

thank you predator, ı have already found it.
ıt was just careless question.

Hi,

Does this patch fix the reported issue with $mosConfig_absolute_path? Sorry if this is a dumb question but I'm a little confused. A friend of mines site has just been hacked by those muppets from Turkey (Bella and Bodyguard). She built it using Joomla and we think it might have been hacked through OpenSEF. I'm also using this module. We're both on RC5 SP2.

Can anyone help to clarify?

maggiespaws wrote: Hi,

Does this patch fix the reported issue with $mosConfig_absolute_path? Sorry if this is a dumb question but I'm a little confused. A friend of mines site has just been hacked by those muppets from Turkey (Bella and Bodyguard). She built it using Joomla and we think it might have been hacked through OpenSEF. I'm also using this module. We're both on RC5 SP2.

Can anyone help to clarify?

Yes this fixed it but if you have RC5 SP2 the fix is allready in that version. Patch is only for RC5 and RC5 SP1 Version

Predator wrote:

maggiespaws wrote: Hi,

Does this patch fix the reported issue with $mosConfig_absolute_path? Sorry if this is a dumb question but I'm a little confused. A friend of mines site has just been hacked by those muppets from Turkey (Bella and Bodyguard). She built it using Joomla and we think it might have been hacked through OpenSEF. I'm also using this module. We're both on RC5 SP2.

Can anyone help to clarify?

Yes this fixed it but if you have RC5 SP2 the fix is allready in that version. Patch is only for RC5 and RC5 SP1 Version

Predator, thanks for responding to this.

The site was already running RC5 SP2. As a result of the hacking, they changed the configuration.php file and chown'd all the files and directories used by OpenSEF (in both the components dirs) to a system user rather than the ftp user. This has stopped us repairing the damage until the hosting company resolves this.

I'm writing all of this because I am a little concerned that there is still a security hole with this component. As of yet, I have no conclusive proof that OpenSEF provided the route in (I'm awaiting more detailed logs from the hosting company), but the fact that other than configuration.php, the only files affected were those related to OpenSEF seems more than just a coincidence. I'm happy to try and provide you with any log data etc if you would like to look into this yourself.

I have read around on the internet and have come across one user who said that the security risk was only exposed if the component was installed but not in use? Is this true? At the time of the attack, my friend had it installed but not switched on.

I am soon to go live with a new site using OpenSEF (it is a great component btw) but would feel happier knowing I was safe to do so.

Sorry for the long post.

Regards,
Steve

If OpenSEF is not actived the request will be forwarded to the buildin includes/sef.php so very strange, so more infos via PM if you got the results of the logfiles would be good, also this hacking sounds like RFI (remote file injections) which only is possible if you have Register Globals = On and allow_furl_open = On, maybe you can check this also.

No logs back form the hosting company yet, but thanks for your advice. I'll look at those two settings you've mentioned and report back.

Steve

Predator wrote: If OpenSEF is not actived the request will be forwarded to the buildin includes/sef.php so very strange, so more infos via PM if you got the results of the logfiles would be good, also this hacking sounds like RFI (remote file injections) which only is possible if you have Register Globals = On and allow_furl_open = On, maybe you can check this also.

Still no logs, but a phpinfo() has showed that allow_url_fopen is set to on (is this what you meant in your post when you typed allow_furl_open ?). Incidentally, register globals was off and RG set to 0 in the configuration.php

I can't overwrite the setting using .htaccess as the php version is 4.4.4 and according to the php site it can only be changed in the main php.ini.

We're emailing the hosts to ask them to change this.

Hi all...

just need a bit of clarification on this patch.

I have just installed OpenSEF 2.0.0-RC5_SP2

Does this (the latest version require the patch?

I am thinking that _SP2 is ok, but unsure.

Thanks in advance

I have found the answer.

SP2 (Service Pack 2) includes the security patch.

hey there....i just looked and the joomla i am working on is running
OpenSEF
Version 2.0.0-RC2

where do i get the patch? anybody know? :-*

SEF patch extended version 1.0a
is also installed

where do i get the patch? anybody know?

Use Google!
http://www.google.com/search?q=opensef

Number 4 in Google listing:
http://sourceforge.net/project/showfile ... _id=171110

sorry for the delay....found the mod thanks

trying to find the patch, but its a) not on the site or b) site suggested is down

thanks for the valuable information.

what is the safest way to update from a Version 2.0.0-RC2 to a Version 2.0.0-RC5 _SP2

just overwrite files or uninstall and reinstall? it is imperative that i dont lose the existing urls, i will be shot on the spot if hat happens

thanks muchly in advance