Joomla 1.0.13: DO NOT UPGRADE FOR NOW 
Community Builder - Announcements 
Written by Beat   
Saturday, 21 July 2007 
IMPORTANT TEMPORARY NOTICE:


Joomla 1.0.13 Stable has been released in its current SVN state to our surprise.

Joomla 1.0.13 breaks backwards compatibility with itself (you can't downgrade to anything before joomla 1.0.13), and with some extensions like Community Builder and bridges, and is not compatible with CB 1.0.2 or earlier.

Additionally, some vulnerabilities introduced by the RC3 that we reported privately did not get fixed

Our strong advice: do NOT upgrade to Joomla 1.0.13 for now.

CB Team feels sorry to have to make this announcement. I'm personaly part of Joomla Q&T team and CB test-team tests Joomla pre-releases too. Unfortunately fixes for bugs and vulnerabilities identified in 1.0.13 RC3 were not made available to Joomla Q&T team and CB test-team for further testing prior to public release. This issue has just been addressed by CB team to Joomla core team, and we are waiting for a reply.

Unfortunately fixes for bugs and vulnerabilities identified in 1.0.13 RC3 were not made available to Joomla Q&T team and CB test-team for further testing prior to public release.

21-Jul-2007 Robin Muilwijk
^ (version.php) preparation for release

18-Jul-2007 Rob Schley
# Fixed admin session problems with immediate logout after login.
# Fixed a few misc. bugs.

11-Jul-2007 Sam Moffatt
^ Removed assumption that a group exists for a user (may not actually be true)

04-Jul-2007 Rob Schley
# Fixed a bug in the administrator login system that prevented users from logging in

02-Jul-2007 Rob Schley
* SECURITY A6 [LOW Level]: Fixed [#5630] HRS attack on variable "url"
* SECURITY A1 [LOW Level]: Fixed [#5654] Multiple fields subjected to cross-site scripting vulnerabilities
* SECURITY A7 [LOW Level]: Fixed possible session fixation vulnerability in administrator application

29-Jun-2007 Louis Landry
^ Hardened password storage mechanism to use a random salt
! Remember Me cookies will be invalid and require a re-login

20-May-2007 Rob Schley
# Fixed key reference lookups to match whole results only
# Fixed two help screen naming issues.
^ Changed RG_EMULATION warning message to refer to Global Configuration Setting

17-May-2007 Rob Schley
^ Moved register globals emulation controls into Global Configuration

15-May-2007 Rob Schley
# Fixed [topic,170296] : Typos in Search Mambot configurations

14-May-2007 Rob Schley
# Fixed [topic,153233] : "Mail to Friend" parameter checks not checking content item setings
# Fixed [topic,126371] : IE7 left align problem
# Fixed [topic,167745] : Added JavaScript alert for empty category title

28-Apr-2007 Rob Schley
^ Changed cookie naming conventions to not break when using HTTPS
# Fixed [topic,156116] : Optimzed queries for menu creation to improve performance.
* SECURITY A4 [ LOW Level ]: XSS issue in com_search and com_content
* SECURITY A4 [ LOW Level ]: XSS vulnerability in mod_login

16-Apr-2007 Enno Klasing
# Re-enabled Itemid behaviour of 1.0.11 (optional, default is behaviour of 1.0.12)

Hi, again!

I am sorry to say that I do not know what Beat is talking about with that announcement.

At this point, I think more information is required from Beat. Unless maybe someone else has an idea? I am at a complete and total loss.
Amy

Option 1) Restore the backup you made of course before upgrading, for files and for SQL database.

A little more detailed:

  a) Restore your Joomla 1.0.12 files
  b) Restore SQL ( default "jos_" )#_users (or at least the password column).

Joomla 1.0.13 auto-upgrades password storage for each user at first login after upgrade.

Ok, here some help to reset access to your joomla system:

Method 1: Easiest:

Click lost password in front-end, enter your admin username and email (if you remember it) and check your email



Method 2: Well, a little less easier:

  a) Go to database admin (e.g. phpMyAdmin), and open database.

  b) Find table jos_users

  c) Find your admin entry (by search by username).

      There you will see a password looking like:

      1023456789ABCDEF1023456789ABCDEF:1023456789ABCDEF  <<<<  Notice the " : "

  d) Find an online md5 generator like here:

      http://www.iwebtool.com/md5

  e) Type-in a temporary password, and write down the md5 hash. or Copy and paste in to a text document.

      e.g. md5 Encryption for the word 'example' is:    1a79a4d60de6718e8e5b326e338ae533
      (you could use this as temporary, but change it as soon as you can).

  f) Edit the entry in SQL, and change password column of that entry to the one above for password 'example'
    or to the one you computed, or the old one from backup (notice: no ':' in it...)

Method 3:
  a) Alternatively, you could copy the md5 password from another user that you register in frontend
    or of which you already know the password.

---------
The Joomlapolis Team are working on a compatible version currently, the upcoming CB 1.1 will be compatible with joomla 1.0.13.

Hi, again!

I am sorry to say that I do not know what Beat is talking about with that announcement.

At this point, I think more information is required from Beat. Unless maybe someone else has an idea? I am at a complete and total loss.
Amy

The fixes that were introduced in RC3, there are not in SVN because it wasn't committed.

Revision 7813 - (view) (download) (annotate) - [select for diffs]
Modified Fri Jun 29 06:04:09 2007 UTC (3 weeks, 3 days ago) by louis
File length: 100999 byte(s)
Diff to previous 7443

Hardened password storage to use a random salt.

What do you mean they weren't committed?

The password salt was added over three weeks ago:

I don't know if you have access to private security forum, if you do than you'll see there are more issues that weren't committed, the password I know it was added.

FYI, Sam's file is also available here:
http://forum.joomla.org/index.php/topic,193358.0.html