The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic Reply to topic  [ 135 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next
Author Message
PostPosted: Thu Jan 03, 2008 4:53 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1117
Location: Weymouth, UK
kepper wrote:
Hi Phil,
Does this fix address any XSS exploit (Like this one: http://forum.joomla.org/index.php/topic,222837.0.html)?

Thanks for the great work, guys.
-Kepper


No - but watch out for my comment in that other thread - as I have important notes to make about that reply to the initial post.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Thu Jan 03, 2008 9:53 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Fri Aug 12, 2005 2:45 am
Posts: 2281
Location: Brisbane, Australia
Ok, where are we.

I spent yesterday making some changes in the core of 1.5 to make this drop dead easy for the developers (which includes me, I like easy).  So basically in your form you put:

   


and then in your controller code you put somelike like this:

function mytask()
{
    JRequest::checkToken() or die( 'Nick off' );
}

That's really neat because all the logic is encapsulated behind two API methods.  As long as you use these we can patch any more issues that rise around this type of exploit transparently at the API level (rather than changing hundreds of lines of code a second time).  Trackling exploits is not just about patching the issue - if we can make it easy to use, people will be more inclined to use it.

So, next.  I spent some time yesterday building a testing framework however am unable to get successful attacks in the wild (i can hack my local box but I'd expect to be able to do that).  Can anyone with a working "csrf.php" like file please privately send me a copy.  Hopefully there are a few and hopefully they use different techniques to try to crack the same nut (there are lots of variations you can do with headers and things).  I'm still concerned about token theft because the same code you use to "get in" also allows you to steal the token with little effort.

I'm trying to study how Drupal and actually SMF tackle this problem as well and once I'm satisfied with my test suite I'll have a go at attacking them to see if that reveals anything.

I will hopefully get time today to look at what the guys have done in 1.0 as well as look at the other exploit that was raised.  We are however going to have to make a call on what we do and don't do with 1.0 - it would not be appropriate to spend two months fixing everything that everything wants.  I think we need to be realistic and get only the major things done in a realistic timeframe.  But as I've said before, releases on 1.0 take time because we have in the past suffered badly from shot-gun releases that have not been thoroughly tested.  We changed our procedure to involve testing and have been better for it, but it does come at a price (time).  As long as everyone is clear on that we'll be golden.

That's the best information I currently have in hand.  Will keep you all posted.

_________________
Andrew Eddie - Tweet @AndrewEddie
<><
http://learn.theartofjoomla.com - Expert videos and tutorials.
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.


Top
 Profile  
 
PostPosted: Thu Jan 03, 2008 10:04 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1117
Location: Weymouth, UK
Quote:
it would not be appropriate to spend two months fixing everything that everything wants.  I think we need to be realistic and get only the major things done in a realistic timeframe.  But as I've said before, releases on 1.0 take time because we have in the past suffered badly from shot-gun releases that have not been thoroughly tested.  We changed our procedure to involve testing and have been better for it, but it does come at a price (time).  As long as everyone is clear on that we'll be golden.


I totally agree - however this statement from a lead developer is 4 weeks overdue and still only in a deep nested forum somewhere and only after someone made a fuss about it. 

The point I keep trying to make is this conversation and active approach to a solution should have been started 4 weeks ago immediately after the vulnerability was reported - and not 4 weeks later only after someone made a fuss about it!

I have been asked how long this (The silence and non-action) would have continued if I had not have contacted Andrew/Louis/Johan ???

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Last edited by PhilTaylor-Prazgod on Thu Jan 03, 2008 10:14 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Thu Jan 03, 2008 10:13 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Fri Aug 12, 2005 2:45 am
Posts: 2281
Location: Brisbane, Australia
Phil, we have different perspectives looking in and looking out - let's leave it at that because we'll waste time arguing our side of the fence till the cows come home.  For now I just want to research the problem more (because it's a nasty can of worms to open) and work the problem at hand.  I've given everyone all the information I know - that's the best I can do at the moment.

_________________
Andrew Eddie - Tweet @AndrewEddie
<><
http://learn.theartofjoomla.com - Expert videos and tutorials.
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.


Top
 Profile  
 
PostPosted: Thu Jan 03, 2008 10:16 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1117
Location: Weymouth, UK
Well I'm glad you are on the case - that is always good to know. We do go back a long time now and I hate arguing with you - especially we are really on the same side  :P

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Thu Jan 03, 2008 10:46 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sat Nov 11, 2006 5:01 am
Posts: 190
Location: Latham, NY
masterchief wrote:
We are however going to have to make a call on what we do and don't do with 1.0 - it would not be appropriate to spend two months fixing everything that everything wants.  I think we need to be realistic and get only the major things done in a realistic timeframe.


Thank you for the update Masterchief..  It is indeed comforting to know that this is being worked on.  You will likely get some flack from a few people about your comment quoted above, but you're right.. With the new version looming, adding window dressing right now doesn't make a lot of sense.  But we who have invested our own time and effort in learning the ropes and fervently supporting Joomla -- and those of us who want to continue to do so going forward -- need to be comfortable in the knowledge that we won't be left out in the cold when something bad happens.  Until you can safely say that it's time to deprecate 1.0, security holes MUST be patched.  One really bad black eye could quickly undo much if not all the work and goodwill that has gone into making Joomla the respected, secure platform it is. 

Way too many times in my career I have seen people and organizations pay ridiculous amounts of money only to get screwed to the wall by the company they paid for the privelege.  Rational folks realize that Joomla is open source and there's not a nice, fat developers payroll to dangle over your heads to get the job done faster.  We just don't want to be forgotten and left behind for the next big, twinkly object.

Thank you again for what you are doing!


Top
 Profile  
 
PostPosted: Fri Jan 04, 2008 6:34 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Thu Aug 18, 2005 1:16 am
Posts: 1015
Location: Glendale, CA, USA
cariboo wrote:
It\'s all that damn trouble maker Phil Taylors fault!


Not Cool

_________________
http://www.virtueshop.net


Top
 Profile  
 
PostPosted: Fri Jan 04, 2008 12:54 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jan 03, 2006 10:41 pm
Posts: 11
I would just like to add my praise to Zinho and Phil for banging the drum on this one.  It's pretty sad that I'm subscribed to various news and security advisories on joomla.org yet the first I heard of this vulnerability was on the forums for SMF. >:(

I feel that the Joomla Core Team should take the rose tinted glasses off and look at Joomla use in the real world.  The vast majority of Joomla users are using 1.0.x in production websites.  No-one would argue there are vastly more instances of 1.0.x likely to be hurt by such a vulnerability than there are of 1.5x.  Why then was priority given to patching a pre release version when anyone could see that devoting the resources to patch 1.0.x within 4 days of discovery would be of far greater benefit to the wider community?

Even if 1.5 were released tomorrow it would be many months before I could risk a switch as I'd have to convert & re-template.  I hope we see a 1.0.14 release soon with the security patches and bug fixes as a thank you to the vast bulk of loyal Joomla users out there not able to be at the cutting edge with 1.5x.


Top
 Profile  
 
PostPosted: Fri Jan 04, 2008 1:47 pm 
Joomla! Intern
Joomla! Intern

Joined: Fri Apr 13, 2007 2:24 pm
Posts: 54
avalon wrote:
Why then was priority given to patching a pre release version when anyone could see that devoting the resources to patch 1.0.x within 4 days of discovery would be of far greater benefit to the wider community?


That's the point  :pop


Top
 Profile  
 
PostPosted: Fri Jan 04, 2008 2:09 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 20, 2005 3:15 pm
Posts: 508
Hi All,

I think at this stage everyone is aware that there are a few dozens of J!1.5 sites and a few millions J! 1.0x sites. It appears that from our (1.0.x users) standpoint, developers have focused a bit too much on getting 1.5 out of the door and did not do anything about 1.0.x. Maybe they thought probability this vulnerability could be used was really low or something else.

Kudos to Zinho for finding out and handling the case as he should have. Kudos to Phil for waking things up.

I understand core team, represented by Masterchief, is now handling the case properly, after Phil "got their attention", and I see no point in adding post after post saying : "you should have done this, you should have done that,...".

I too cast my vote for a proper 1.0.14 with all required security fixes AND main bug fixes as well. In the next 6 or more months, tens of thousands of new J! 1.0.x sites wil hit the net, as J! 1.5 cannot be used due to lack of some features (multi-language, specific extensions,...) so I think only fair to provide a really stable "last" version in the 1.0.x branch to replace 1.0.13.

Let's leave them alone for a while and wait for the outcome. Or even better, assist if we can.

Regards

_________________
See all about sh404sef at http://dev.anything-digital.com/
I don't reply to PM anymore. Thanks for using sh404SEF


Top
 Profile  
 
PostPosted: Fri Jan 04, 2008 2:19 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1117
Location: Weymouth, UK
All the fixes - and more - are now in SVN for anyone to download prior to an official release.

Andrew Eddie has done fantastic work on this in less than 2 days sine "got [his] attention" - which is testament to the fact it doesn't take ages once someone with brains (and svn write access) is on the case.

Andrew has also fixed the XSS in com_search and many other bugs already in preparation for the next Joomla 1.0.x release.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Fri Jan 04, 2008 2:59 pm 
Joomla! Intern
Joomla! Intern

Joined: Fri Apr 13, 2007 2:24 pm
Posts: 54
FIRST: thanks to everybody who have reported the problem(s) and to the dev team that have fixed this holes. open source power :)

SECOND: sumisha you are right, maybe  a solution is to involve more users in this kind of discussion.
the happenings of these days may have let some user think that there are other secuirity fixes not applied in 1.0.x.
what if there are other secuirity holes fixed only in 1.5 and not on 1.0.x ? i hope this is not the case, but this is also a "marketing" problem (1420 views for this thread)

best regards to everybody


Top
 Profile  
 
PostPosted: Fri Jan 04, 2008 3:19 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 25, 2005 3:29 pm
Posts: 438
Location: Adelaide, South Australia
PhilTaylor-Prazgod wrote:
All the fixes - and more - are now in SVN for anyone to download prior to an official release.
That is just great news Phil. Many thanks for going out on a limb. Maybe we should be calling you Taylor The Turtle? (1)
Quote:
Andrew Eddie has done fantastic work on this in less than 2 days
Well done Andrew, you have really helped us out in a big way.
Quote:
...in preparation for the next Joomla 1.0.x release.
Oh if only it comes about. That will be a big step forward.
Yes, I am looking at 1.5, but it will still be about 6 months before I am likely to be planning/budgeting in the time to do the switch over.

(1) There is an old story that the turtle never makes progress 'till he sticks his neck out ;)

_________________
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
Do Not PM me looking for Help! Un-requested Help PM's will be Deleted Unread, and your ID added to my Ignore List


Top
 Profile  
 
PostPosted: Fri Jan 04, 2008 4:03 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Jan 03, 2006 10:41 pm
Posts: 11
PhilTaylor-Prazgod wrote:
All the fixes - and more - are now in SVN for anyone to download prior to an official release.

Andrew Eddie has done fantastic work on this in less than 2 days sine "got [his] attention" - which is testament to the fact it doesn't take ages once someone with brains (and svn write access) is on the case.

Andrew has also fixed the XSS in com_search and many other bugs already in preparation for the next Joomla 1.0.x release.




Thanks to Andrew for pulling the stops out to get the codebase fixed.  I'm hoping a 1.0.14 release happens very soon for the sake of all those who install Joomla via a Fantastico style option provided by their hosting provider, or who aren't comfortable manually patching their current installs via SVN releases.


Top
 Profile  
 
PostPosted: Fri Jan 04, 2008 4:15 pm 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue Aug 14, 2007 9:00 pm
Posts: 5
PhilTaylor-Prazgod wrote:
All the fixes - and more - are now in SVN for anyone to download prior to an official release.

Andrew has also fixed the XSS in com_search and many other bugs already in preparation for the next Joomla 1.0.x release.


Hi Phil,
I'm VERY new to Joomla. My apologies, but could you explain step by step how to apply this patch? or how to get to the SVN to download it?

Yes... I am THAT new to Joomla. :)

Thanks for all you guys hard work!

_________________
Perfection is the sum of all right measurements multiplied by each alignment divided by both sides of my brain.


Top
 Profile  
 
PostPosted: Fri Jan 04, 2008 6:02 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Thu Aug 18, 2005 1:16 am
Posts: 1015
Location: Glendale, CA, USA
shumisha wrote:
I too cast my vote for a proper 1.0.14 with all required security fixes AND main bug fixes as well. In the next 6 or more months, tens of thousands of new J! 1.0.x sites wil hit the net, as J! 1.5 cannot be used due to lack of some features (multi-language, specific extensions,...) so I think only fair to provide a really stable "last" version in the 1.0.x branch to replace 1.0.13.


I agree, and if any of the core members are reading this please add the fixes made by Beat when there used to be a Q&T board (I know I should have saved those).

_________________
http://www.virtueshop.net


Top
 Profile  
 
PostPosted: Fri Jan 04, 2008 9:15 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Fri Aug 12, 2005 2:45 am
Posts: 2281
Location: Brisbane, Australia
aravot wrote:
I agree, and if any of the core members are reading this please add the fixes made by Beat when there used to be a Q&T board (I know I should have saved those).

I *really really* need to stress how important it is for people to get into the habit of using the bug tracker(s) for 1.0 and 1.5.  I have no problem with newbies using the forum and stuff but a lot of you old-timers know the score and can help out in this way.  Certainly discuss the "is anyone else having this issue too" problems but once you are sure, log it.  When you do we are actually able to correlate what commits relate to what fix - we can't do it as well with forum posts.

I, and others, have dozens of posts to go through each day from many threads on this forum and it's impossible to correctly track patches properly - we do our best but stuff still gets lost.  If good reports are on the tracker this helps us greatly to keep track of things.  Thanks in advance.

_________________
Andrew Eddie - Tweet @AndrewEddie
<><
http://learn.theartofjoomla.com - Expert videos and tutorials.
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.


Top
 Profile  
 
PostPosted: Fri Jan 04, 2008 9:18 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Thu Aug 18, 2005 1:16 am
Posts: 1015
Location: Glendale, CA, USA
Will do, however that was posted in Q&T board and we were told not to discuss private info outside of the board (now that the board is not there I don't think it matters).

_________________
http://www.virtueshop.net


Top
 Profile  
 
PostPosted: Fri Jan 04, 2008 10:06 pm 
User avatar
Joomla! Master
Joomla! Master

Joined: Thu Aug 18, 2005 7:13 am
Posts: 16547
[me=Tonie]is not sure if he found it, sends link to Andrew[/me]

_________________
Joomla forum global moderator.

Have fun


Top
 Profile  
 
PostPosted: Sat Jan 05, 2008 5:15 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sun Aug 28, 2005 5:10 pm
Posts: 238
Location: Montréal,Qc
Hi,

If the admin part is .htaccess protected is it going to stop the account creation from the hacker?

is there a quick fix to protect old version (patch), just to give us time to update and secure the site?

I know that we should update everytime but for a lot a reasons:

component compatibility often need to be update when new Joomla version, custom code, language file...
for a webmaster that create joomla site for customers he will need to pass how many hours to fix everything everitime that there is a security hole?

anyway if there a way to fix 1.0 oldest version without updating to a new version please give us the walkthrough.

Thanks

_________________
Lenamtl


Last edited by lenamtl on Sat Jan 05, 2008 6:20 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Sat Jan 05, 2008 6:12 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1117
Location: Weymouth, UK
lenamtl wrote:
Hi,

If the admin part is .htaccess protected is it going to stop the account creation from the hacker?



No - cause if YOU are logged into your admin console then YOU have already supplied your htaccess credentials and the CSRF Vulnerability will use those credentials when accessing your site.  htaccess is not the answer.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Sat Jan 05, 2008 7:51 pm 
I've been banned!

Joined: Wed Jan 02, 2008 9:52 am
Posts: 35
PhilTaylor-Prazgod wrote:
lenamtl wrote:
Hi,

If the admin part is .htaccess protected is it going to stop the account creation from the hacker?



No - cause if YOU are logged into your admin console then YOU have already supplied your htaccess credentials and the CSRF Vulnerability will use those credentials when accessing your site.  htaccess is not the answer.


wouldnt selectable CAPTHA really be the only true solution?
I mean, if you have XSS at work, then even tokens wouldnt work, since the script would be requesting tokens in your context?


Top
 Profile  
 
PostPosted: Sat Jan 05, 2008 8:00 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1117
Location: Weymouth, UK
Quote:
wouldnt selectable CAPTHA really be the only true solution?
I mean, if you have XSS at work, then even tokens wouldnt work, since the script would be requesting tokens in your context?


Firstly this is not a XSS but is a CSRF - there are technical differences between these terms.

Captcha would indeed be a solution to this issue.  HOWEVER it would mean that for EVERY request (EVERY request, like EVERY CLICK in Joomla Admin) you would need to complete a CAPTCHA test - VERY unusable and therefore not going to happen !

Also captcha can be broken upto 92% of the time

A CSRF is able to "request tokens in your context" if it is very clever and it would have to be VERY VERY clever to request, process, use and abuse your token - but it can happen - the patches employed by Andrew and his team do infact make it MUCH MORE diffuicult to launch a CSRF against Joomla Admin Console, however Andrew is the first to admit that a very knowledgeable hacker with great patience and great skill can indeed get around this.  Its not fool proof, but it makes it millions of times harder to exploit

Phil.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Last edited by PhilTaylor-Prazgod on Sat Jan 05, 2008 8:13 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Sat Jan 05, 2008 9:36 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sun Aug 28, 2005 5:10 pm
Posts: 238
Location: Montréal,Qc
Hi,

Is there a way to limit the max superadmin & admin user account that can be created?

So if the limit is reached nobody will be able to create new admin account.

is it making sense?

_________________
Lenamtl


Top
 Profile  
 
PostPosted: Sat Jan 05, 2008 9:38 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1117
Location: Weymouth, UK
lenamtl wrote:
Hi,

Is there a way to limit the max superadmin & admin user account that can be created?

So if the limit is reached nobody will be able to create new admin account.

is it making sense?


That is currently not a feature of Joomla 1.0.13 or Joomla 1.5(SVN) although it is a good suggestion.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Sat Jan 05, 2008 9:47 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Fri Aug 12, 2005 2:45 am
Posts: 2281
Location: Brisbane, Australia
Just a quick update.  As Phil suggests we've gone as far as we can without introducing Captcha to the backend.  Basically we've done as much as, for example, Drupal or SMF do in there forms. 

The next step is really just raising the awareness of this type of issue (which is not unique to Joomla!).  It's not a good idea to remain logged into your administrator panel.  It's possibly even a good idea to use a different browser for your admin work.

For the record I have notified Mambo of this issue, given it's severity and I know some of our community have to maintain both CMS's, and offered assistance if they need it.  Others possibly have already because the reports get switched to private pretty quickly so I'm guessing someone is working on it over in their camp.

Finally and again I do want to thank those who have contributed brain power to solving this.  We got off to a rough start but I think we've come out with a good result in the end.

_________________
Andrew Eddie - Tweet @AndrewEddie
<><
http://learn.theartofjoomla.com - Expert videos and tutorials.
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.


Top
 Profile  
 
PostPosted: Sat Jan 05, 2008 9:49 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Fri Aug 12, 2005 2:45 am
Posts: 2281
Location: Brisbane, Australia
lenamtl wrote:
Hi,

Is there a way to limit the max superadmin & admin user account that can be created?

So if the limit is reached nobody will be able to create new admin account.

is it making sense?

We'll be calling for white papers soon on what the community wants in 1.6.  This would make a good topic for one if a few people wanted to work the details and expand on that idea.

_________________
Andrew Eddie - Tweet @AndrewEddie
<><
http://learn.theartofjoomla.com - Expert videos and tutorials.
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.


Top
 Profile  
 
PostPosted: Sat Jan 05, 2008 10:04 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1117
Location: Weymouth, UK
Everyone:

Here is a 100% fool proof way to protect yourself from CSRF

http://blog.phil-taylor.com/2008/01/05/ ... mla-safer/

:pop

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
PostPosted: Sun Jan 06, 2008 1:21 pm 
Joomla! Intern
Joomla! Intern

Joined: Fri Apr 13, 2007 2:24 pm
Posts: 54
Is it efficent against CSRF vulnerability to have the backend connection under https, instead of http ?

regards


Top
 Profile  
 
PostPosted: Sun Jan 06, 2008 1:23 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Sat Aug 20, 2005 12:32 pm
Posts: 1117
Location: Weymouth, UK
k0nan wrote:
Is it efficent against CSRF vulnerability to have the backend connection under https, instead of http ?

regards


No - this will not protect you.

_________________
Phil Taylor - Full Time Joomla/PHP Expert
Blue Flame IT Ltd.
-- http://myjoomla.com/ Joomla Security/Hack fix Auditing Service
-- http://www.phil-taylor.com/


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 135 posts ]  Go to page Previous  1, 2, 3, 4, 5  Next



Who is online

Users browsing this forum: No registered users and 8 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group