[HSC] Multiple CSRF in Joomla all versions - Complete compromise

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Thu Jan 03, 2008 4:53 pm

kepper wrote: Hi Phil,
Does this fix address any XSS exploit (Like this one: http://forum.joomla.org/index.php/topic,222837.0.html)?

Thanks for the great work, guys.
-Kepper
No - but watch out for my comment in that other thread - as I have important notes to make about that reply to the initial post.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2247
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by masterchief » Thu Jan 03, 2008 9:53 pm

Ok, where are we.

I spent yesterday making some changes in the core of 1.5 to make this drop dead easy for the developers (which includes me, I like easy).  So basically in your form you put:

   


and then in your controller code you put somelike like this:

function mytask()
{
    JRequest::checkToken() or die( 'Nick off' );
}

That's really neat because all the logic is encapsulated behind two API methods.  As long as you use these we can patch any more issues that rise around this type of exploit transparently at the API level (rather than changing hundreds of lines of code a second time).  Trackling exploits is not just about patching the issue - if we can make it easy to use, people will be more inclined to use it.

So, next.  I spent some time yesterday building a testing framework however am unable to get successful attacks in the wild (i can hack my local box but I'd expect to be able to do that).  Can anyone with a working "csrf.php" like file please privately send me a copy.  Hopefully there are a few and hopefully they use different techniques to try to crack the same nut (there are lots of variations you can do with headers and things).  I'm still concerned about token theft because the same code you use to "get in" also allows you to steal the token with little effort.

I'm trying to study how Drupal and actually SMF tackle this problem as well and once I'm satisfied with my test suite I'll have a go at attacking them to see if that reveals anything.

I will hopefully get time today to look at what the guys have done in 1.0 as well as look at the other exploit that was raised.  We are however going to have to make a call on what we do and don't do with 1.0 - it would not be appropriate to spend two months fixing everything that everything wants.  I think we need to be realistic and get only the major things done in a realistic timeframe.  But as I've said before, releases on 1.0 take time because we have in the past suffered badly from shot-gun releases that have not been thoroughly tested.  We changed our procedure to involve testing and have been better for it, but it does come at a price (time).  As long as everyone is clear on that we'll be golden.

That's the best information I currently have in hand.  Will keep you all posted.
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Thu Jan 03, 2008 10:04 pm

it would not be appropriate to spend two months fixing everything that everything wants.  I think we need to be realistic and get only the major things done in a realistic timeframe.  But as I've said before, releases on 1.0 take time because we have in the past suffered badly from shot-gun releases that have not been thoroughly tested.  We changed our procedure to involve testing and have been better for it, but it does come at a price (time).  As long as everyone is clear on that we'll be golden.
I totally agree - however this statement from a lead developer is 4 weeks overdue and still only in a deep nested forum somewhere and only after someone made a fuss about it. 

The point I keep trying to make is this conversation and active approach to a solution should have been started 4 weeks ago immediately after the vulnerability was reported - and not 4 weeks later only after someone made a fuss about it!

I have been asked how long this (The silence and non-action) would have continued if I had not have contacted Andrew/Louis/Johan ???
Last edited by PhilTaylor-Prazgod on Thu Jan 03, 2008 10:14 pm, edited 1 time in total.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2247
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by masterchief » Thu Jan 03, 2008 10:13 pm

Phil, we have different perspectives looking in and looking out - let's leave it at that because we'll waste time arguing our side of the fence till the cows come home.  For now I just want to research the problem more (because it's a nasty can of worms to open) and work the problem at hand.  I've given everyone all the information I know - that's the best I can do at the moment.
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Thu Jan 03, 2008 10:16 pm

Well I'm glad you are on the case - that is always good to know. We do go back a long time now and I hate arguing with you - especially we are really on the same side  :P
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

User avatar
musiczineguy
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 200
Joined: Sat Nov 11, 2006 5:01 am
Location: East Greenbush, NY
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by musiczineguy » Thu Jan 03, 2008 10:46 pm

masterchief wrote: We are however going to have to make a call on what we do and don't do with 1.0 - it would not be appropriate to spend two months fixing everything that everything wants.  I think we need to be realistic and get only the major things done in a realistic timeframe.
Thank you for the update Masterchief..  It is indeed comforting to know that this is being worked on.  You will likely get some flack from a few people about your comment quoted above, but you're right.. With the new version looming, adding window dressing right now doesn't make a lot of sense.  But we who have invested our own time and effort in learning the ropes and fervently supporting Joomla -- and those of us who want to continue to do so going forward -- need to be comfortable in the knowledge that we won't be left out in the cold when something bad happens.  Until you can safely say that it's time to deprecate 1.0, security holes MUST be patched.  One really bad black eye could quickly undo much if not all the work and goodwill that has gone into making Joomla the respected, secure platform it is. 

Way too many times in my career I have seen people and organizations pay ridiculous amounts of money only to get screwed to the wall by the company they paid for the privelege.  Rational folks realize that Joomla is open source and there's not a nice, fat developers payroll to dangle over your heads to get the job done faster.  We just don't want to be forgotten and left behind for the next big, twinkly object.

Thank you again for what you are doing!

User avatar
aravot
Joomla! Ace
Joomla! Ace
Posts: 1015
Joined: Thu Aug 18, 2005 1:16 am
Location: Glendale, CA, USA
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by aravot » Fri Jan 04, 2008 6:34 am

cariboo wrote: It\'s all that damn trouble maker Phil Taylors fault!
Not Cool

avalon
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Tue Jan 03, 2006 10:41 pm

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by avalon » Fri Jan 04, 2008 12:54 pm

I would just like to add my praise to Zinho and Phil for banging the drum on this one.  It's pretty sad that I'm subscribed to various news and security advisories on joomla.org yet the first I heard of this vulnerability was on the forums for SMF. >:(

I feel that the Joomla Core Team should take the rose tinted glasses off and look at Joomla use in the real world.  The vast majority of Joomla users are using 1.0.x in production websites.  No-one would argue there are vastly more instances of 1.0.x likely to be hurt by such a vulnerability than there are of 1.5x.  Why then was priority given to patching a pre release version when anyone could see that devoting the resources to patch 1.0.x within 4 days of discovery would be of far greater benefit to the wider community?

Even if 1.5 were released tomorrow it would be many months before I could risk a switch as I'd have to convert & re-template.  I hope we see a 1.0.14 release soon with the security patches and bug fixes as a thank you to the vast bulk of loyal Joomla users out there not able to be at the cutting edge with 1.5x.

k0nan
Joomla! Intern
Joomla! Intern
Posts: 54
Joined: Fri Apr 13, 2007 2:24 pm

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by k0nan » Fri Jan 04, 2008 1:47 pm

avalon wrote: Why then was priority given to patching a pre release version when anyone could see that devoting the resources to patch 1.0.x within 4 days of discovery would be of far greater benefit to the wider community?
That's the point  :pop

shumisha
Joomla! Guru
Joomla! Guru
Posts: 520
Joined: Sat Aug 20, 2005 3:15 pm
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by shumisha » Fri Jan 04, 2008 2:09 pm

Hi All,

I think at this stage everyone is aware that there are a few dozens of J!1.5 sites and a few millions J! 1.0x sites. It appears that from our (1.0.x users) standpoint, developers have focused a bit too much on getting 1.5 out of the door and did not do anything about 1.0.x. Maybe they thought probability this vulnerability could be used was really low or something else.

Kudos to Zinho for finding out and handling the case as he should have. Kudos to Phil for waking things up.

I understand core team, represented by Masterchief, is now handling the case properly, after Phil "got their attention", and I see no point in adding post after post saying : "you should have done this, you should have done that,...".

I too cast my vote for a proper 1.0.14 with all required security fixes AND main bug fixes as well. In the next 6 or more months, tens of thousands of new J! 1.0.x sites wil hit the net, as J! 1.5 cannot be used due to lack of some features (multi-language, specific extensions,...) so I think only fair to provide a really stable "last" version in the 1.0.x branch to replace 1.0.13.

Let's leave them alone for a while and wait for the outcome. Or even better, assist if we can.

Regards
4SEO, all-in-one SEO extension for Joomla 3 & 4 - https://weeblr.com
I don't reply to PM anymore. Thanks for using 4SEO and wbAMP

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Fri Jan 04, 2008 2:19 pm

All the fixes - and more - are now in SVN for anyone to download prior to an official release.

Andrew Eddie has done fantastic work on this in less than 2 days sine "got [his] attention" - which is testament to the fact it doesn't take ages once someone with brains (and svn write access) is on the case.

Andrew has also fixed the XSS in com_search and many other bugs already in preparation for the next Joomla 1.0.x release.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

k0nan
Joomla! Intern
Joomla! Intern
Posts: 54
Joined: Fri Apr 13, 2007 2:24 pm

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by k0nan » Fri Jan 04, 2008 2:59 pm

FIRST: thanks to everybody who have reported the problem(s) and to the dev team that have fixed this holes. open source power :)

SECOND: sumisha you are right, maybe  a solution is to involve more users in this kind of discussion.
the happenings of these days may have let some user think that there are other secuirity fixes not applied in 1.0.x.
what if there are other secuirity holes fixed only in 1.5 and not on 1.0.x ? i hope this is not the case, but this is also a "marketing" problem (1420 views for this thread)

best regards to everybody

User avatar
ilox
Joomla! Explorer
Joomla! Explorer
Posts: 444
Joined: Thu Aug 25, 2005 3:29 pm
Location: Adelaide, South Australia
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by ilox » Fri Jan 04, 2008 3:19 pm

PhilTaylor-Prazgod wrote: All the fixes - and more - are now in SVN for anyone to download prior to an official release.
That is just great news Phil. Many thanks for going out on a limb. Maybe we should be calling you Taylor The Turtle? (1)
Andrew Eddie has done fantastic work on this in less than 2 days
Well done Andrew, you have really helped us out in a big way.
...in preparation for the next Joomla 1.0.x release.
Oh if only it comes about. That will be a big step forward.
Yes, I am looking at 1.5, but it will still be about 6 months before I am likely to be planning/budgeting in the time to do the switch over.

(1) There is an old story that the turtle never makes progress 'till he sticks his neck out ;)
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life

avalon
Joomla! Apprentice
Joomla! Apprentice
Posts: 11
Joined: Tue Jan 03, 2006 10:41 pm

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by avalon » Fri Jan 04, 2008 4:03 pm

PhilTaylor-Prazgod wrote: All the fixes - and more - are now in SVN for anyone to download prior to an official release.

Andrew Eddie has done fantastic work on this in less than 2 days sine "got [his] attention" - which is testament to the fact it doesn't take ages once someone with brains (and svn write access) is on the case.

Andrew has also fixed the XSS in com_search and many other bugs already in preparation for the next Joomla 1.0.x release.

Thanks to Andrew for pulling the stops out to get the codebase fixed.  I'm hoping a 1.0.14 release happens very soon for the sake of all those who install Joomla via a Fantastico style option provided by their hosting provider, or who aren't comfortable manually patching their current installs via SVN releases.

User avatar
genamex
Joomla! Apprentice
Joomla! Apprentice
Posts: 5
Joined: Tue Aug 14, 2007 9:00 pm
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by genamex » Fri Jan 04, 2008 4:15 pm

PhilTaylor-Prazgod wrote: All the fixes - and more - are now in SVN for anyone to download prior to an official release.

Andrew has also fixed the XSS in com_search and many other bugs already in preparation for the next Joomla 1.0.x release.
Hi Phil,
I'm VERY new to Joomla. My apologies, but could you explain step by step how to apply this patch? or how to get to the SVN to download it?

Yes... I am THAT new to Joomla. :)

Thanks for all you guys hard work!
Perfection is the sum of all right measurements multiplied by each alignment divided by both sides of my brain.

User avatar
aravot
Joomla! Ace
Joomla! Ace
Posts: 1015
Joined: Thu Aug 18, 2005 1:16 am
Location: Glendale, CA, USA
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by aravot » Fri Jan 04, 2008 6:02 pm

shumisha wrote: I too cast my vote for a proper 1.0.14 with all required security fixes AND main bug fixes as well. In the next 6 or more months, tens of thousands of new J! 1.0.x sites wil hit the net, as J! 1.5 cannot be used due to lack of some features (multi-language, specific extensions,...) so I think only fair to provide a really stable "last" version in the 1.0.x branch to replace 1.0.13.
I agree, and if any of the core members are reading this please add the fixes made by Beat when there used to be a Q&T board (I know I should have saved those).

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2247
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by masterchief » Fri Jan 04, 2008 9:15 pm

aravot wrote: I agree, and if any of the core members are reading this please add the fixes made by Beat when there used to be a Q&T board (I know I should have saved those).
I *really really* need to stress how important it is for people to get into the habit of using the bug tracker(s) for 1.0 and 1.5.  I have no problem with newbies using the forum and stuff but a lot of you old-timers know the score and can help out in this way.  Certainly discuss the "is anyone else having this issue too" problems but once you are sure, log it.  When you do we are actually able to correlate what commits relate to what fix - we can't do it as well with forum posts.

I, and others, have dozens of posts to go through each day from many threads on this forum and it's impossible to correctly track patches properly - we do our best but stuff still gets lost.  If good reports are on the tracker this helps us greatly to keep track of things.  Thanks in advance.
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

User avatar
aravot
Joomla! Ace
Joomla! Ace
Posts: 1015
Joined: Thu Aug 18, 2005 1:16 am
Location: Glendale, CA, USA
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by aravot » Fri Jan 04, 2008 9:18 pm

Will do, however that was posted in Q&T board and we were told not to discuss private info outside of the board (now that the board is not there I don't think it matters).

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16553
Joined: Thu Aug 18, 2005 7:13 am

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by Tonie » Fri Jan 04, 2008 10:06 pm

[me=Tonie]is not sure if he found it, sends link to Andrew[/me]

lenamtl
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 238
Joined: Sun Aug 28, 2005 5:10 pm
Location: Montréal,Qc

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by lenamtl » Sat Jan 05, 2008 5:15 pm

Hi,

If the admin part is .htaccess protected is it going to stop the account creation from the hacker?

is there a quick fix to protect old version (patch), just to give us time to update and secure the site?

I know that we should update everytime but for a lot a reasons:

component compatibility often need to be update when new Joomla version, custom code, language file...
for a webmaster that create joomla site for customers he will need to pass how many hours to fix everything everitime that there is a security hole?

anyway if there a way to fix 1.0 oldest version without updating to a new version please give us the walkthrough.

Thanks
Last edited by lenamtl on Sat Jan 05, 2008 6:20 pm, edited 1 time in total.
Lenamtl

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Sat Jan 05, 2008 6:12 pm

lenamtl wrote: Hi,

If the admin part is .htaccess protected is it going to stop the account creation from the hacker?
No - cause if YOU are logged into your admin console then YOU have already supplied your htaccess credentials and the CSRF Vulnerability will use those credentials when accessing your site.  htaccess is not the answer.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

cariboo
I've been banned!
Posts: 35
Joined: Wed Jan 02, 2008 9:52 am

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by cariboo » Sat Jan 05, 2008 7:51 pm

PhilTaylor-Prazgod wrote:
lenamtl wrote: Hi,

If the admin part is .htaccess protected is it going to stop the account creation from the hacker?
No - cause if YOU are logged into your admin console then YOU have already supplied your htaccess credentials and the CSRF Vulnerability will use those credentials when accessing your site.  htaccess is not the answer.
wouldnt selectable CAPTHA really be the only true solution?
I mean, if you have XSS at work, then even tokens wouldnt work, since the script would be requesting tokens in your context?

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Sat Jan 05, 2008 8:00 pm

wouldnt selectable CAPTHA really be the only true solution?
I mean, if you have XSS at work, then even tokens wouldnt work, since the script would be requesting tokens in your context?
Firstly this is not a XSS but is a CSRF - there are technical differences between these terms.

Captcha would indeed be a solution to this issue.  HOWEVER it would mean that for EVERY request (EVERY request, like EVERY CLICK in Joomla Admin) you would need to complete a CAPTCHA test - VERY unusable and therefore not going to happen !

Also captcha can be broken upto 92% of the time

A CSRF is able to "request tokens in your context" if it is very clever and it would have to be VERY VERY clever to request, process, use and abuse your token - but it can happen - the patches employed by Andrew and his team do infact make it MUCH MORE diffuicult to launch a CSRF against Joomla Admin Console, however Andrew is the first to admit that a very knowledgeable hacker with great patience and great skill can indeed get around this.  Its not fool proof, but it makes it millions of times harder to exploit

Phil.
Last edited by PhilTaylor-Prazgod on Sat Jan 05, 2008 8:13 pm, edited 1 time in total.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

lenamtl
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 238
Joined: Sun Aug 28, 2005 5:10 pm
Location: Montréal,Qc

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by lenamtl » Sat Jan 05, 2008 9:36 pm

Hi,

Is there a way to limit the max superadmin & admin user account that can be created?

So if the limit is reached nobody will be able to create new admin account.

is it making sense?
Lenamtl

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Sat Jan 05, 2008 9:38 pm

lenamtl wrote: Hi,

Is there a way to limit the max superadmin & admin user account that can be created?

So if the limit is reached nobody will be able to create new admin account.

is it making sense?
That is currently not a feature of Joomla 1.0.13 or Joomla 1.5(SVN) although it is a good suggestion.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2247
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by masterchief » Sat Jan 05, 2008 9:47 pm

Just a quick update.  As Phil suggests we've gone as far as we can without introducing Captcha to the backend.  Basically we've done as much as, for example, Drupal or SMF do in there forms. 

The next step is really just raising the awareness of this type of issue (which is not unique to Joomla!).  It's not a good idea to remain logged into your administrator panel.  It's possibly even a good idea to use a different browser for your admin work.

For the record I have notified Mambo of this issue, given it's severity and I know some of our community have to maintain both CMS's, and offered assistance if they need it.  Others possibly have already because the reports get switched to private pretty quickly so I'm guessing someone is working on it over in their camp.

Finally and again I do want to thank those who have contributed brain power to solving this.  We got off to a rough start but I think we've come out with a good result in the end.
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2247
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by masterchief » Sat Jan 05, 2008 9:49 pm

lenamtl wrote: Hi,

Is there a way to limit the max superadmin & admin user account that can be created?

So if the limit is reached nobody will be able to create new admin account.

is it making sense?
We'll be calling for white papers soon on what the community wants in 1.6.  This would make a good topic for one if a few people wanted to work the details and expand on that idea.
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Sat Jan 05, 2008 10:04 pm

Everyone:

Here is a 100% fool proof way to protect yourself from CSRF

http://blog.phil-taylor.com/2008/01/05/ ... mla-safer/

:pop
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/

k0nan
Joomla! Intern
Joomla! Intern
Posts: 54
Joined: Fri Apr 13, 2007 2:24 pm

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by k0nan » Sun Jan 06, 2008 1:21 pm

Is it efficent against CSRF vulnerability to have the backend connection under https, instead of http ?

regards

User avatar
PhilTaylor-Prazgod
Joomla! Ace
Joomla! Ace
Posts: 1402
Joined: Sat Aug 20, 2005 12:32 pm
Location: Jersey, Channel Islands
Contact:

Re: [HSC] Multiple CSRF in Joomla all versions - Complete compromise

Post by PhilTaylor-Prazgod » Sun Jan 06, 2008 1:23 pm

k0nan wrote: Is it efficent against CSRF vulnerability to have the backend connection under https, instead of http ?

regards
No - this will not protect you.
Phil Taylor
- https://mySites.guru - Manage Multiple Joomla/WordPress Sites In One Dashboard for Security, Audits, Backups and more....
- https://www.phil-taylor.com/


Locked

Return to “Security - 1.0.x”