The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 135 posts ]  Go to page 1, 2, 3, 4, 5  Next
Author Message
PostPosted: Mon Dec 31, 2007 7:11 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jan 09, 2006 11:55 pm
Posts: 16
Location: Cuautla, Morelos, México
Hi, checking in the securityfocus, see one bug for joomla, can you see here:
http://www.securityfocus.com/archive/1/ ... 0/threaded

Say the version joomla 1.0.x no have fixed this security bug, somebody know about that ???.
Greetings.

_________________
sorry my english is bad  :-[


Top
 Profile  
 
PostPosted: Mon Dec 31, 2007 8:24 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Nov 11, 2006 5:01 am
Posts: 190
Location: Latham, NY
tuxsoul wrote:
Hi, checking in the securityfocus, see one bug for joomla, can you see here:
http://www.securityfocus.com/archive/1/ ... 0/threaded

Say the version joomla 1.0.x no have fixed this security bug, somebody know about that ???.
Greetings.


Curiously enough, there are no other references to CSRF in this forum (by search) and no posts referring to anything like this on the 1.5 security board or here on or around 12/4 when this was supposed to have been reported.  The alert referred to in the link above has spread like wildfire all over the Net, but every one of the versions of the notice I've seen are in forum-like areas of security sites and either refer back to the original post on the reporter's website or contain an exact cut and paste of the original alert. 

So far as I can tell this issue hasn't been corroborated by any 'official' channels. 

Finally, the last line of the original alert is an advertisement for a kit that apparently will protect everyone from everything including the flu..

There are many (most) around here who are more knowledgeable than I about the inner workings of Joomla, but could this be a hoax?  It sure looks like something's fishy to me...


Top
 Profile  
 
PostPosted: Mon Dec 31, 2007 11:58 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 25, 2005 3:29 pm
Posts: 438
Location: Adelaide, South Australia
Well my search of the net turned up this comment on one site:
Quote:
I my self tried to check it out..worked it out and via XSS vulnerable page was able to add a superadmin Smoothly! Check it out With LiveHTTPHeader Addon in Mozilla/Firefox installed

So I looked further in this forum and found http://www.joomla.org/content/view/4335/116/ which shows the 1.5.0 Changelog:
here are 3 entries that refer to the problem;
Quote:
10-Dec-2007 Laurens Vandeput ** Bug Squash Event: Brussels
* SECURITY A5 [HIGH] Critical CSRF allow portal compromise - Administrator components. Thanks to Paul Delbar & Jeroen Loose.

09-Dec-2007 Rob Schley ** Bug Squash Event: SF **
* SECURITY A5 [HIGH] [#8361] Critical CSRF allow portal compromise.  Administrator components

09-Dec-2007 Andrew Eddie ** Bug Squash Event from home **
* SECURITY A5 [HIGH] [#8361] Critical CSRF allow portal compromise - admin com_users only


There isn't any doubt that a problem was found and fixed, at least in 1.5 RC4.

http://joomlacode.org/gf/project/joomla ... em_id=8361 will give you the full chronology of the report and conclusion;
Quote:
Submitted By: Wilco Jansen
Adddate: 2007-12-10 15:32:06
30 tasks have been created, and all have been processed. Closing.


I didn't find any reference to 1.x. I think the claim that it affects every version is a bit wishful, there doesn't seem to be the facts to back that up. If it had been true, and affected versions other than the SVN, then we would surely have been told about it and a patch issued.

_________________
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
Do Not PM me looking for Help! Un-requested Help PM's will be Deleted Unread, and your ID added to my Ignore List


Last edited by ilox on Tue Jan 01, 2008 12:51 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 6:08 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Jun 01, 2006 3:16 pm
Posts: 207
Location: Texas, USA
http://www.google.com/url?sa=t&ct=res&c ... 6hNL2ylUyA

http://www.securitytracker.com/alerts/2 ... 19145.html

http://seclists.org/bugtraq/2007/Dec/0360.html

These pretty much reference the same thing.

IF THIS is true, this should be patched for 1.xx immediately. Simply moving to RC4 is not the best answer as that would take planning.

_________________
cmsconnection.com/forum - the multi-cms forum


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 6:16 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1114
Location: Weymouth, UK
EDIT: THIS POST HAS BEEN EDITED HIGHLY I wish the linux diff application I use did not have tabs - I sillily read the left window and right window the wrong way round the first time.

All the facts from the following post are publically available by searching through the SVN. I'm not saying anything that even a basic hacker can not work out themselves

I have personally asked 3 core team members to comment in this thread, up to now, not one of them has.


The SVN logs show that to fix this security vulnerability several blocks of code have been added to almost all components bundled with Joomla 1.5 RC3,

These blocks of code relate to the checking of a token that is held/generated by the session object. This token is passed around by forms and checked before operations

The same kind of principle (Embed a known string into a form and check that known string when the form has been submitted) is also used in Joomla 1.0.13 but with different methods and different code. (Its called josSpoofCheck/josSpoofValue in J1.0.13) but is only used in the frontend of Joomla 1.0.13 and only in certain places.

The Joomla 1.5 RC3 principle was stored in the session object, where as the Joomla 1.0.13 principle is not, its regenerated after the form submission and then compared.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Last edited by PhilTaylor-Prazgod on Tue Jan 01, 2008 7:53 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 6:19 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Jun 01, 2006 3:16 pm
Posts: 207
Location: Texas, USA
I'm leaning that way too. Seems odd that every single version would be affected.

Backup and prepare in case I suppose.

_________________
cmsconnection.com/forum - the multi-cms forum


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 7:36 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jan 01, 2008 7:24 pm
Posts: 23
Hi all,
I'm the one who found and fixed the CSRF bugs into Joomla. Also I've published the advisory, *after* a patch was available.
My name is Armando Romeo and I'm the founder of hackerscenter.com

The original version of the advisory can be found here: http://www.hackerscenter.com/archive/view.asp?id=28138

I'm posting to make some order. even if the advisory was quite clear.

RC4 version is *fixed*. It has been revised to include complete protection against CSRF attacks.
I *strongly* advise to switch to this version.

All the below versions 1.0.x up to 1.5rc3 are vulnerable. At least no one of the Joomla team notified me a patch for this. (I've talked to one of them 1 week ago).


Unfortunately there is no quick fix for this issue. It is basically an attack the Joomla core didn't consider at all so fixing it means adding a lot of code to every form in the joomla backend.

NOTE: I've not released any exploit since a lot of portals still use 1.0.x (of course, since 1.5 is not yet supported by many 3rd party comp and modules). However an experienced hacker can find the CSRF easily and compromise your portal in a devastating manner.


I'm available for further clarifications

_________________
Webmaster and Founder of

Hackers Center Security Portal
http://www.hackerscenter.com


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 7:41 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Jun 01, 2006 3:16 pm
Posts: 207
Location: Texas, USA
Your claim is a large one. I'm not saying that in disagreement, but rather, if it all versions of 1.xx are exploitable, the core needs to know how to duplicate and how to fix 1.012/1.0.13 at a minimum.


can you clarify if there are certain extensions or are you claiming the base code is vulnerable?

_________________
cmsconnection.com/forum - the multi-cms forum


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 7:54 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jan 01, 2008 7:24 pm
Posts: 23
The core don't know how to replicate it, I just got a PM from one of them asking me this and I was just working to build an exploit for 1.0.13 to demonstrate it.

Once again, it is not a vulnerability they took in count so it is just there since joomla was created. believe it or not. For joomla team excusation, CSRF is a vulnerability not very known. It appeared in the late 2004-5. Anyway, I wouldn't be severe with them. Google and Amazon were found to be vulnerable just last year.

_________________
Webmaster and Founder of

Hackers Center Security Portal
http://www.hackerscenter.com


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 8:03 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1114
Location: Weymouth, UK
From what I know of CSRF the vulnerability would require me to be logged in to my joomla admin and to then visit a web page that the hacker had set up....  So if I dont visit any hackers websites I should be fine ;-) ;-)

I believe we had this once before in Mambo days....

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 8:04 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Nov 11, 2006 5:01 am
Posts: 190
Location: Latham, NY
Speaking entirely for myself here but...

Can't we knock off the cloak and dagger stuff, lay what's going on here onto the table and start working toward a fix?

The suggestion that tens of thousands of PRODUCTION web sites go from a stable version of Joomla to a release candidate is ridiculous and not an acceptable answer! If this issue is as catastrophic in the 1.0.x code as is being touted, then it needs to be addressed and taken care of in the 1.0.x code as well as in the RC code.

Where are the forum mods and developers on this??


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 8:09 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1114
Location: Weymouth, UK
PhilTaylor-Prazgod wrote:
From what I know of CSRF the vulnerability would require me to be logged in to my joomla admin and to then visit a web page that the hacker had set up....  So if I don't visit any hackers websites I should be fine ;-) ;-)

I believe we had this once before in Mambo days....


reading the wiki about it http://en.wikipedia.org/wiki/Cross-site_request_forgery

States clearly my point above and gives tips, including the one Joomla 1.5 rc4 has gone for (adding hidden form checks per token) and gives advice to users - to logout when finished administrating a site.

This probably does effect Joomla 1.0.13 - however you would probably need to have all the following to be compromised:

  • Logged into your Joomla Admin site (or your last session not expired)
  • All cookies still set from Joomla
  • Then visit a hackers website and let him send in the background of the browser (maybe a hidden iframe) instructions to your joomla site

A lot of ifs - and hardly the massive security issue that needs immediate instant glorification - but one that needs education of users and a fix developed quickly.

No cloak and daggers needed :-)

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 8:12 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jan 01, 2008 7:24 pm
Posts: 23
Eheh, not visiting hacking sites is not a wise idea, you should instead visit them to learn how to better secure your websites, but this is just my opinion.
And no, I can post a remote image, if I am allowed to, on your website. You would load your website and load my remote image, that of course is my exploit url.
Or I can use an XSS to trigger the url on your pages. What if I use tiny url to hide the exploit and have you click it? I can name a lot of other means to have you visit a page of my choice.
You wouldn't have to click anywhere. You wouldn't notice anything.

I'm talking to a core-man of joomla. They should work on fixing 1.0.13 very soon

Ah btw, Wikipedia is knowledge for quick-people. Don't be quick. Read here: http://shiflett.org/articles/cross-site ... -forgeries

_________________
Webmaster and Founder of

Hackers Center Security Portal
http://www.hackerscenter.com


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 8:23 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1114
Location: Weymouth, UK
Zinho - Thank you for your email, the points in my last forum post are confirmed by the details in your email.

Zinho - Please note I am not a core developer of Joomla - I never have said I was - but I am someone with a lot of experience here in Joomla/Mambo land.

Everyone, calm down!  This is not something that a hacker can write a bot to go off and destroy millions of sites overnight while all your Super Admins are asleep.

Yes this is something that should be added to Joomla 1.0.13 so that everyone is protected in the future, it appears that Joomla 1.5 development has taken the rush off fixing Joomla 1.0.13

Yes - there are many ways of embedding bad code to exploit this

Yes - Joomla 1.0.13 appears to be vulnerable to this (under the specific circumstances I mentioned, E.g. you need to be logged in and then visit a page that has this bad code in it, or click a bad link, or several other ways...)

The number one bit of advice I can give all site admins at the moment is to - LOGOUT OF YOUR JOOMLA ADMIN as soon as you finish using it, and do not surf around the internet while administrating your Joomla site, and if you allow users to modify your site's frontend, be careful not to surf your frontend as well while logged in.

Do not install any 3rd party components/mambots/modules/AND TEMPLATES!!! from untrusted sources

Do not click on any links in 3rd party component (like "click here for updates/upgrades") as this is one quick way for a developer/hacker to embed a link into your admin and create a desire to click it.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Last edited by PhilTaylor-Prazgod on Tue Jan 01, 2008 8:31 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 8:32 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Nov 11, 2006 5:01 am
Posts: 190
Location: Latham, NY
PhilTaylor-Prazgod wrote:
it appears that Joomla 1.5 development has taken the rush off fixing Joomla 1.0.13


Sorry if I gave the impression I was upset.. not the case... but comments like the one above are concerning.. it's scary to think the newer, shinier object might be getting the attention while the tried and true is being kicked to the curb.  I'm not saying that's what is happening, don't get me wrong -- but if it did happen it wouldn't be the first time...

PhilTaylor-Prazgod wrote:
and if you allow users to modify your site's frontend, be careful not to surf your frontend as well while logged in.


Would you please clarify this last bit?  I want to make sure I understand what you're saying.

Thanks and you're right.. cooler heads will definitely prevail in this situation!  :)


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 8:41 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1114
Location: Weymouth, UK
musiczineguy wrote:
PhilTaylor-Prazgod wrote:
it appears that Joomla 1.5 development has taken the rush off fixing Joomla 1.0.13


Sorry if I gave the impression I was upset.. not the case... but comments like the one above are concerning.. it's scary to think the newer, shinier object might be getting the attention while the tried and true is being kicked to the curb.  I'm not saying that's what is happening, don't get me wrong -- but if it did happen it wouldn't be the first time...



[quote="http://dev.joomla.org/content/blogcategory/21/86/"]Joomla! 1.0.12 is intended to be the last Stability Release in the 1.0.x series.[/quote]

It was also said somewhere else, although I cannot find it now, that Joomla 1.0.13 would be the last version of Joomla 1.0.x

There has been no change to the Joomla 1.0.x source tree since August 2007

Quote:
PhilTaylor-Prazgod wrote:
and if you allow users to modify your site's frontend, be careful not to surf your frontend as well while logged in.


Would you please clarify this last bit?  I want to make sure I understand what you're saying.

Thanks and you're right.. cooler heads will definitely prevail in this situation!  :)


If you allow users to change any html of your site (for example to type the ) then in theory a bad user could embed a bad link and when you view that page the hidden [BAD CODE] triggers a series of [THINGS] that does [BAD] things to your site..

[THINGS] in square brackets are an attempt to keep the finer details secret at this time - all these things can be found out with a little research.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 8:48 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jan 01, 2008 7:24 pm
Posts: 23
Quote:
Zinho - Please note I am not a core developer of Joomla - I never have said I was - but I am someone with a lot of experience here in Joomla/Mambo land.


True true, my mistake sorry.
But I have to add that I reported this issue on 12/4/2007 giving full working exploits. I reported it also on 1.0.13. But it was fixed only in 1.5rc4. Don't ask me why.

I would also advise not to allow user additions on your frontend. Avoid posting urls/images into your comments. Beware of tiny url and similar services.
For the rest, Phil knows what he's talking abt so listen carefully to his advices.

_________________
Webmaster and Founder of

Hackers Center Security Portal
http://www.hackerscenter.com


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 9:39 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Nov 11, 2006 5:01 am
Posts: 190
Location: Latham, NY
PhilTaylor-Prazgod wrote:
It was also said somewhere else, although I cannot find it now, that Joomla 1.0.13 would be the last version of Joomla 1.0.x


Understood, but considering there is no stable release of 1.5, hopefully this type of a situation warrants a security patch at the least.


PhilTaylor-Prazgod wrote:
If you allow users to change any html of your site (for example to type the ) then in theory a bad user could embed a bad link and when you view that page the hidden [BAD CODE] triggers a series of [THINGS] that does [BAD] things to your site..

[THINGS] in square brackets are an attempt to keep the finer details secret at this time - all these things can be found out with a little research.


Yes, [THINGS] and [BAD CODE] are perfectly fine for me as I now understand where you're coming from and don't need to know the details, was just looking for direction.  Thanks!


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 11:04 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1114
Location: Weymouth, UK
This post contains a working solution

Well it has taken me less than 2 hours to patch Joomla 1.0.13 to make it just as secure as Joomla 1.5 RC4 by backporting some code (and changing it slightly!) and then modifing almost every admin function in Joomla 1.0.13 Admin Console.

Attached is a CSRF.patch patch file that can be used to patch the Joomla 1.0.13 code to provide token checking in admin.

Attached is a CSRF.diff diff file that can be used to see the differences between two folders, one with fixed (patched) files and one with Joomla 1.0.13 latest svn files
/joomla1013FIXED
/joomla1013ORIGINAL

This vulnerability was classified by the Joomla core development team as a "SECURITY A5 [HIGH] Critical CSRF Vulnerability" for Joomla 1.5 and was addressed immediately and a new RC4 was released.

Lets hope that the core team can patch Joomla 1.0.13 soon and release a Joomla 1.0.14 to address this
"SECURITY A5 [HIGH] Critical CSRF Vulnerability" in Joomla 1.0.13


You do not have the required permissions to view the files attached to this post.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Last edited by PhilTaylor-Prazgod on Tue Jan 01, 2008 11:08 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 11:08 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Jun 01, 2006 3:16 pm
Posts: 207
Location: Texas, USA
Phil

Do you think you could provide a 1.0.12 for those folks who can't upgrade (yet) to 1.0.13 due to extension issues?

_________________
cmsconnection.com/forum - the multi-cms forum


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 11:10 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1114
Location: Weymouth, UK
vscribe wrote:
Phil

Do you think you could provide a 1.0.12 for those folks who can't upgrade (yet) to 1.0.13 due to extension issues?


No.

Joomla 1.0.12 has security issues all of its own :-) 
And I never endorse the running of older software :-) :-)
And the wife wants some of my time tonight (Already 11:11PM!)

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 11:12 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Jun 01, 2006 3:16 pm
Posts: 207
Location: Texas, USA
good luck with that Phil.

\Thanks

_________________
cmsconnection.com/forum - the multi-cms forum


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 11:13 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sat May 13, 2006 11:51 am
Posts: 96
Location: Guayaquil
Thanks alot Phil :)


Top
 Profile  
 
PostPosted: Tue Jan 01, 2008 11:30 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1114
Location: Weymouth, UK
I have sent an open letter to Johan/Andrew/Louis asking for this to be fixed in Joomla 1.0.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Last edited by PhilTaylor-Prazgod on Tue Jan 01, 2008 11:33 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Jan 02, 2008 3:31 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Fri Mar 03, 2006 3:26 pm
Posts: 596
Location: Canuck via MKE
musiczineguy wrote:
The suggestion that tens of thousands of PRODUCTION web sites go from a stable version of Joomla to a release candidate is ridiculous and not an acceptable answer! If this issue is as catastrophic in the 1.0.x code as is being touted, then it needs to be addressed and taken care of in the 1.0.x code as well as in the RC code.


Having everyone upgrade immediately to 1.0.13/.14 is not much better than upgrading to 1.5 RC4. As has been noted many times on these forums, 1.0.13 has many bugs. Do these bugs outweigh the security enhancements gained in 1.0.13 (which were described as 'low-risk security fixes' in the 1.0.13 release announcement). Seems like we need a little support here for the popular versions preceeding 1.0.13.

_________________
Victor Drover
http://anything-digital.com - Joomla Extensions and Custom Development
https://watchful.li - Remote backup, update and security monitoring for Joomla.


Top
 Profile  
 
PostPosted: Wed Jan 02, 2008 10:00 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1114
Location: Weymouth, UK
vdrover wrote:
musiczineguy wrote:
The suggestion that tens of thousands of PRODUCTION web sites go from a stable version of Joomla to a release candidate is ridiculous and not an acceptable answer! If this issue is as catastrophic in the 1.0.x code as is being touted, then it needs to be addressed and taken care of in the 1.0.x code as well as in the RC code.


Having everyone upgrade immediately to 1.0.13/.14 is not much better than upgrading to 1.5 RC4. As has been noted many times on these forums, 1.0.13 has many bugs. Do these bugs outweigh the security enhancements gained in 1.0.13 (which were described as 'low-risk security fixes' in the 1.0.13 release announcement). Seems like we need a little support here for the popular versions preceeding 1.0.13.


remember - there is no such thing as an UPGRADE from Joomla 1.0.x to Joomla 1.5.x - it is a migration and a whole new way of doing things....

Youa re right about Joomla 1.0.13 having issues - all the more reason for a Joomla 1.0.14 !!! I, along with others, feer that Joomla 1.0.x has now been forced to the back burner while Joomla 1.5 development takes place...

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Wed Jan 02, 2008 11:03 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1114
Location: Weymouth, UK
Well I have received two replies from 2 out of the three lead developers of Joomla.

1 reply was two words long.

1 reply stated that it would be several weeks before people would be put on this, and that it requires many changes to files and a lot of testing...

My reply:

Quote:
While I appreciate that this touches many files, why does that take weeks when it only took 4 days to patch Joomla 1.5 ?

There are a lot of people (Developers with lots of experience) that are concerned about this, and willing to help, and also to get the other major issues in Joomla 1.0.13 fixed as well - such as the admin task values issue. I don't see why this should take weeks.

The actual work I did took a few hours and can be well tested in a day or two.  Waiting weeks just to get people on the case is really not appropriate.  It has already been 4 weeks since the security vulnerability was reported (on the 4th December)

Kindest regards
Phil.


I know this thread is being closly monitored by several popular community members - this issue should be addressed NOW and not in weeks!

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Wed Jan 02, 2008 12:04 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Fri Aug 19, 2005 2:23 pm
Posts: 2230
Location: The Netherlands
PhilTaylor-Prazgod wrote:
this issue should be addressed NOW and not in weeks!

I quite agree.
There are quite a few Joomla 1.0 installations out there, and quite a few who not want to migrate to Joomla 1.5

_________________
Adam van Dongen - Developer

- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl


Top
 Profile  
 
PostPosted: Wed Jan 02, 2008 12:11 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1114
Location: Weymouth, UK
I have been chatting to Andrew Eddie about this - I just managed to create a super admin account on his new live site (hehehehe) so I think I managed to get his attention :-)

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Last edited by PhilTaylor-Prazgod on Wed Jan 02, 2008 12:26 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Jan 02, 2008 1:06 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Fri Aug 12, 2005 2:45 am
Posts: 2265
Location: Brisbane, Australia
The least you could have done was give them the link to send a bit of traffic that way :P  Anyway, yes, it's in the pipe.

_________________
Andrew Eddie - Tweet @AndrewEddie
<><
http://learn.theartofjoomla.com - Expert videos and tutorials.
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 135 posts ]  Go to page 1, 2, 3, 4, 5  Next



Who is online

Users browsing this forum: geofftaylor and 12 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group