[FIXED in 1.0.10] SQL Injection vulnerability Joomla! 1.0.9 Stable

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
irstudio
Joomla! Intern
Joomla! Intern
Posts: 74
Joined: Mon Sep 05, 2005 7:45 pm

Re: [CONFIRMED] Is Joomla secure against that?

Post by irstudio » Tue Jun 20, 2006 7:14 pm

A while back I added frontend editing capability to mambo (at the time) weblinks

I ported the functionality from the content component
In process I may have patched this hole ...
so my sites are not vulnerable.... I think.... can't be sure

running the exploit seems to fail

I can post my com_weblinks if anyone wants to take a look at it
It is currently for 1.0.7 - i should have one for 1.0.9 on a test site as well

EDIT:
looks like the exploit still works but only for users that are Editors or higher - that's ok though  ;D
the fix is kind of useless to me because of the need to be able to submit from the frontend :(
You do not have the required permissions to view the files attached to this post.
Last edited by irstudio on Tue Jun 20, 2006 9:29 pm, edited 1 time in total.

User avatar
Websmurf
Joomla! Hero
Joomla! Hero
Posts: 2230
Joined: Fri Aug 19, 2005 2:23 pm
Location: The Netherlands
Contact:

Re: [CONFIRMED] Is Joomla secure against that?

Post by Websmurf » Tue Jun 20, 2006 8:06 pm

eyezberg wrote: Rey, any idea about ETA for the patch? thanks

Other question: can this still be accessed if there's no published link to com_weblinks? by using the option in the url?
Yes, that will still work.
Have a look at the code i posted above. That should keep you safe at least untill there's a patch:
http://forum.joomla.org/index.php/topic ... #msg366017
Adam van Dongen - Developer

- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl

AmyStephen

Re: [CONFIRMED] Is Joomla secure against that?

Post by AmyStephen » Wed Jun 21, 2006 12:20 pm

stingrey wrote: We are working as quickly as possible to complete and release 1.0.10 as soon as possible - at last check my watch said 2am.
Rey -

Take care of yourself. Really. You give us SO MUCH for SO LONG. These things happen and are not anyone's fault. You do NOT need to work yourself to death to fix it. You will repair it just like you have any other problem we had. And, there will be another one. It's the world we live in. Nature of the beast.

We appreciate you, Rey.

Amy
Last edited by AmyStephen on Wed Jun 21, 2006 12:23 pm, edited 1 time in total.

lenamtl
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 238
Joined: Sun Aug 28, 2005 5:10 pm
Location: Montréal,Qc

Re : [CONFIRMED] Is Joomla secure against that?

Post by lenamtl » Wed Jun 21, 2006 3:07 pm

Hi,

is this fix work also for Joomla?

reference: http://mamboxchange.com/forum/forum.php?forum_id=7505

open /components/com_weblinks/weblinks.php and add the following two lines
Code:
$row->title = $database->getEscaped($row->title);

$row->catid = $database->getEscaped($row->catid);
Last edited by lenamtl on Wed Jun 21, 2006 3:27 pm, edited 1 time in total.
Lenamtl

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: [CONFIRMED] Is Joomla secure against that?

Post by friesengeist » Wed Jun 21, 2006 3:20 pm

Hi Lenamtl,
lenamtl wrote: is this fix work also for Joomla?
reference: http://mamboxchange.com/forum/forum.php?forum_id=7505
[...]
Yes, it does work for Joomla!.
Line numbers have changed. Insert the code you posted before this fragment (line 307):

Code: Select all

if (!$row->check()) {
	echo "<script> alert('".$row->getError()."'); window.history.go(-1); </script>\n";
	exit();
}
However, install the official Joomla! fix as soon as it comes out. There are more issues which will be adressed by J! 1.0.10.

Best,
Enno
Last edited by friesengeist on Wed Jun 21, 2006 3:22 pm, edited 1 time in total.
We may not be able to control the wind, but we can always adjust our sails

irstudio
Joomla! Intern
Joomla! Intern
Posts: 74
Joined: Mon Sep 05, 2005 7:45 pm

Re: [CONFIRMED] Is Joomla secure against that?

Post by irstudio » Wed Jun 21, 2006 3:44 pm

looks like it works fine

I think as long as you put it after :

Code: Select all

        $row = new mosWeblink( $database );
        if (!$row->bind( $_POST, 'published' )) {
                echo "<script> alert('".$row->getError()."'); window.history.go(-1); </script>\n";
                exit();
        }
but before:

Code: Select all

        if (!$row->check()) {
                echo "<script> alert('".$row->getError()."'); window.history.go(-1); </script>\n";
                exit();
        }
you'll be ok

it probably wouldn't hurt to have these two lines included in 1.0.10 as well??

friesengeist
Joomla! Guru
Joomla! Guru
Posts: 842
Joined: Sat Sep 10, 2005 10:31 pm

Re: [CONFIRMED] Is Joomla secure against that?

Post by friesengeist » Wed Jun 21, 2006 4:00 pm

irstudio wrote: it probably wouldn't hurt to have these two lines included in 1.0.10 as well??
They are, but in a more suitable place: in weblinks.class.php.

The method how it is done has only one drawback: weblinks with an apostrophe will be shown e.g. as "Enno\'s Weblink" with an escaped "\'". I would suggest using a local variable for title in weblinks.class.php (the title will be escaped again before storing in the db by $row->store, so no security thread here):

Code: Select all

$this->catid = intval($this->catid);
$title = $this->_db->getEscaped( $this->title );

/** check for existing name */
$query = "SELECT id"
. "\n FROM #__weblinks "
. "\n WHERE title = '$title'"
. "\n AND catid = $this->catid"
;
Best,
Enno
We may not be able to control the wind, but we can always adjust our sails

irstudio
Joomla! Intern
Joomla! Intern
Posts: 74
Joined: Mon Sep 05, 2005 7:45 pm

Re: [CONFIRMED] Is Joomla secure against that?

Post by irstudio » Wed Jun 21, 2006 4:24 pm

ok I see it here:
http://forge.joomla.org/integration/vie ... iew=markup
look for the line:

Code: Select all

// SQL injection protection
so if you want to patch your installation
weblinks.class.php around line 85

right before:

Code: Select all

/** check for existing name */
is as good a place as any

PS
@friesengeist:
so if I understand correctly,
creating a local variable will prevent the slashes from being added twice
in that case it looks pretty good to do it your way

irstudio
Joomla! Intern
Joomla! Intern
Posts: 74
Joined: Mon Sep 05, 2005 7:45 pm

Re: [CONFIRMED] Is Joomla secure against that?

Post by irstudio » Wed Jun 21, 2006 5:02 pm

I have been looking at the changes in 1.0.10SVN

looks like anti spoofing code has been moved out of com_content
and made generally usable by other components

this raises an interesting issue
how do we secure our 3rd party components against these header injection and other spoofing attacks
now that 1.0.10 will include a way to do so.

looks like there are two parts

1) in your mycomponent.html.php file
in ANY functions that SUBMIT FORMS
first add a variable in the beginning of the function

Code: Select all

                 // used for spoof hardening
  	                 $validate = josSpoofValue();
 
then add another hidden field to the form:

Code: Select all

  		<input type="hidden" name="<?php echo $validate; ?>" value="1" />
 

2) in your mycomponent.php file
in functions that handle form submissions like SAVE  or SEND EMAIL functions
add this right after global variable definitions

Code: Select all

	// simple spoof check security
	josSpoofCheck();	

User avatar
Tom
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 104
Joined: Thu Aug 18, 2005 1:08 pm
Location: Cleveland, OH
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by Tom » Thu Jun 22, 2006 2:05 pm

Code: Select all

if (function_exists('josSpoofValue')) $validate = josSpoofValue();

Code: Select all

<?php if (function_exists('josSpoofValue')) { ?><input type="hidden" name="<?php echo $validate; ?>" value="1" /><?php } ?>

Code: Select all

if (function_exists('josSpoofCheck')) josSpoofCheck();
This would make your component backwards compatible with Joomla! versions that don't contain that API.  I know, it would be a good idea to force people to upgrade, but to do that would be like pulling a "Microsoft."
Tom Parkison
Rochen Staff Member
http://www.rochen.com

richieboy
Joomla! Apprentice
Joomla! Apprentice
Posts: 45
Joined: Fri Jun 23, 2006 9:04 pm

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by richieboy » Fri Jun 23, 2006 9:07 pm

My first post here - would like to say that i love Joomla and really appreciate the hard work that has obviously gone into it...

However i am very security paranoid and am wondering if there is an estimated date for an official patch for this exploit...or when will 1.0.10 be released?

Thankyou  :) :D ;D

digitaldentist

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by digitaldentist » Sat Jun 24, 2006 2:28 am

the Joomla dev team would rather  finish a monolithic update than recode 1 file and release it as a intrem patch....
High level sql injection threat and no mention of it on the NEWS side of the site...

Please tell me how any of this relates to Joomla's core statement
The name Joomla is a phonetic spelling for the Swahili word "Jumla", which means "all together" or "as a whole". It was chosen as the entire team behind Mambo was unanimous in their commitment to protecting the interests of the project and community

User avatar
gustavo
Joomla! Explorer
Joomla! Explorer
Posts: 427
Joined: Fri Aug 19, 2005 12:51 pm
Location: Argentina
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by gustavo » Sat Jun 24, 2006 2:38 am

High level sql injection threat and no mention of it on the NEWS side of the site...
Agree 100%

Have a nice day
Gustavo Raúl Aragón
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16553
Joined: Thu Aug 18, 2005 7:13 am

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by Tonie » Sat Jun 24, 2006 8:43 am

I personally don't think it is smart to post critical security threats on the news site when an official patch hasn't been released. When 1.0.10 will be released, the news item will follow on the frontpage. Also the people who have subscribed to the announcements forum here wil get an notice as well. This patch is due out soon, Rey will make the announcement when it is out.

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by stingrey » Sat Jun 24, 2006 9:28 am

Joomla! 1.0.10 will be released within the next 24-48 hours.

It has been sent to testing teams for final approval for release.



Until then the suggested temporary fixes in this thread are all valid.

Also note that although this is a [High Level] threat it works in only certain circumstances and is not a `full` vulnerability.
For a [Critical Level] Threat we would have undergone a much quicker release cycle - however the nature of this threat has afforded us more time to complete 1.0.10 and to test it more thoroughly.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

AmyStephen

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by AmyStephen » Sat Jun 24, 2006 12:16 pm

Tonie and Rey -

Thank you for your response. What you are saying makes sense. We are all a bit paranoid and want to protect our Joomla! sites, so, the growing concern was a result of the SVN post, but no word on 'what's next.' However, Tonie, your note very logically explains why. And, Rey, yours is an encouraging response and a perfectly acceptable timeframe.

One word on end-user community comments - it makes me very proud to know that openness is acceptable here in the forums when people feel they must speak. I am also proud of the openness I have seen, here. The posts were polite and encouraging us to evolve to a "better" place. I am most *especially* proud of the rapid, honest and unemotional response of two of our core team members to these concerns.

Thank you for your continued patience with us in the end user community as we sometimes become anxious and speak!

Amy  :)

digitaldentist

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by digitaldentist » Sat Jun 24, 2006 12:44 pm

Tonie wrote: I personally don't think it is smart to post critical security threats on the news site when an official patch hasn't been released. When 1.0.10 will be released, the news item will follow on the frontpage. Also the people who have subscribed to the announcements forum here wil get an notice as well. This patch is due out soon, Rey will make the announcement when it is out.
Security through obscurity is no security at all. Malevolent internet users and groups may check core software sites for announcements, but in truth they look at other security websites and resources to swap information.  The fact of the matter at hand is Joomla is an opensource project, highly popular and multiple users have contributed to a patch. By not disclosing the security threat the entire community is at risk. It should be the sole discretion of the site administrators to take the approperate actions they deem necessary, along with links to the various suggested user work arounds while the developers work on an official patch

Reason I say such things is for the past week I have stared at the boards off and on, never even noticed the SQL injection threat till last night. When I did, I woke people out of bed at another design firm so they could alert their clients of the threat and the patch.
Last edited by digitaldentist on Sat Jun 24, 2006 2:23 pm, edited 1 time in total.

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12781
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by brian » Sat Jun 24, 2006 11:03 pm

Digitaldentist i do agree with you that "Security through obscurity is no security at all" and that the general practice regarding security alerts and fixes here at joomla is a little bit different from the norm for an open source project.

In reality the problem is that Joomla! has broken beyond the realm of the geek "open source or nothing" market place and is a mainstream product with mainstream users. As such it is probably correct that a security release/info policy such as the one that is in place right now is correct.

For myself I am subscribed to this entire forum section so that I recieve email notification of any posts and there have been numerous ones on this issue together with fixes and explanations.

(there have also been posts of security issues with 3rd party extensions here that have not been acknowledged)
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
tyler
Joomla! Intern
Joomla! Intern
Posts: 71
Joined: Thu Jan 26, 2006 11:36 pm
Location: Los Angeles, California, United States
Contact:

Re: [UNDER REVIEW] Is Joomla secure against that?

Post by tyler » Sun Jun 25, 2006 12:34 am

Thanks very much for your quick attention and both version of the temporary fix websmurf, it worked perfect on my install :)
Last edited by tyler on Sun Jun 25, 2006 1:16 am, edited 1 time in total.
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com

User avatar
grace
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 113
Joined: Wed Sep 14, 2005 5:59 am
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by grace » Sun Jun 25, 2006 7:09 am

Ciao:
Please could you send an email to the sever at Url appear in bottom of securityfocus in your language?
They need know about this problem. And wee need stop this abuse sending mails to hostings.
Thank you!
Best Regards!
Bettinz wrote: sorry for my english, but i'm italian  ;)
i've read this vulnerability in Mambo, and i ask to you if Joomla is protected against that
http://www.securityfocus.com/archive/1/437496

User avatar
gustavo
Joomla! Explorer
Joomla! Explorer
Posts: 427
Joined: Fri Aug 19, 2005 12:51 pm
Location: Argentina
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by gustavo » Mon Jun 26, 2006 1:47 am

I still dont get why you stop using the patch way to patch security holes (like in Mambo) , instead of a totally new realease to fix several errors , its not logic at all if you want to keep joomla secure..

Have a nice day
Gustavo Raúl Aragón
Last edited by gustavo on Mon Jun 26, 2006 1:52 am, edited 1 time in total.
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org

bigmudcake
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Thu Dec 08, 2005 8:38 am

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by bigmudcake » Mon Jun 26, 2006 2:44 am

I find it a little puzzling that the joomla team gives more priority on their website to  "International PHP Magazine Features Joomla! 1.5" then a high security security risk that has the potential to have all current joomla sites hacked.

Please,  please,  please.  I hate sifting through subforums  to find verbose answers to security risks.

Please take security seriously.  Here are suggestions,

1.  A dedicated webpage  listing all current security vunerabilities,  and the appropriate fixes.

2.  If risk is high  then instructions on patching users current version should be given,  along with which version the fix has been(will be) incorporated.  never force people to upgrade,  as it leave sites flapping in the breaze as they have the extra task of seeing if the upgrade breakes anything else.  (example -  upgrading from 1.0.7 breaks the mosCE editor,  plus a few other things as well.)

2. Never tell people just to wait until the next version,  again it leaves sites flapping in the breaze, vunerable to hackers.


Being a mainstream product is even more reason to make security issues less obscure,  big companies like Microsoft learnt this the hard way,  Does the Joomla team really need to learn the hard way too ?


In the meantime I thank the Mambo website for alerting me to the security issue (thus prompting me to hunt through this forum) and providing the fix that I can apply to all my existing websites with various versions of joomla in the shortest possible time.
Last edited by bigmudcake on Mon Jun 26, 2006 2:52 am, edited 1 time in total.

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13272
Joined: Fri Aug 12, 2005 12:38 am
Location: Australia
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by brad » Mon Jun 26, 2006 2:55 am

Dev Status is always available here: http://dev.joomla.org/content/blogcategory/21/86/ and by subscribing to the announcement section of these forums you will immediately be notified of any important releases/security fix etc etc.

Subscribe here: http://forum.joomla.org/index.php?actio ... ;board=8.0

AmyStephen

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by AmyStephen » Mon Jun 26, 2006 2:56 am

BigMudCake -

I have to laugh - because the core team can't win! Some of us gave Mitch a hard time because he did not have his article "International PHP Magazine Features Joomla! 1.5"  published for the community to see. I was happy to see it out on the News site. So, poor guy, got in trouble when it wasn't there, now, because it is. It doesn't pay to be on the core team -- anything, actually, not a dime and no respect!

Also - hopefully, you read this thread because I believe the core team has already responded to each of your points. There may be a difference of opinion on exactly how to handle things, but Tonie and Rey did answer the questions you have asked -- above your post five or six posts.

Tonie responded to why they do not want to highlight security issues.

2. No one is being forced to upgrade -- and there are instructions in this thread -- and the instructions have been "smiled upon" by Rey, who is in charge of maintenance. So, sites should not be flapping in the breeze, as it were!

3. No one has been asked to wait, either, see Rey's response in #44.

As far as "sifting through subforums" - see Tonie's response in #43 where he recommends subscribing to the announcements forum.

None of us like security scares and no one is to blame -- least of all the core developers -- so, let's read what is available and try to keep emotion in check. These guys absolutely are taking security seriously and have since I signed up in November. You might consider how that note sounds to those who have been working hard *for free* *for us* *for awhile!*

Take care, okay?
Amy

BTW - that was another core team member who cares about security!  8)
Last edited by AmyStephen on Mon Jun 26, 2006 2:59 am, edited 1 time in total.

bigmudcake
Joomla! Intern
Joomla! Intern
Posts: 60
Joined: Thu Dec 08, 2005 8:38 am

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by bigmudcake » Mon Jun 26, 2006 3:59 am

I think its because I find it a little frustrating. 

I brought it up once before about lack of information regarding security issues off the main website,
but unfortunately it turned into a joomla zealot driven thread instead of rising above the joomla/mambo
politics.

http://forum.joomla.org/index.php/topic ... #msg219779


I do applaud especially stingrey  who is always works so hard coding AND finds the time to publish security info
and fixes.  I appreciate this more because his attitude about security issues raises above all the politics
and he gives the info we need.

But for the more mainstream user, busy website maintainers,  and new users.  They shouldnt have to try and
track down where the security info is posted,  especially when its also includes all the posts and opinions
of everyone on how to solve it.  It can get very confusing,  and take alot of time.

There is no mention on the main website on even where security info may be found,  or how it is organised.

I am especially worried that if we didnt have Rey,  then we might get no info at all in a timely manner.

User avatar
brad
Joomla! Master
Joomla! Master
Posts: 13272
Joined: Fri Aug 12, 2005 12:38 am
Location: Australia
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by brad » Mon Jun 26, 2006 4:05 am

Your suggestion was noted then, as it is now.

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by stingrey » Mon Jun 26, 2006 5:12 am

Upgrade to Joomla! 1.0.10 Security Release!
http://www.joomla.org/content/view/1510/74/
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by stingrey » Mon Jun 26, 2006 5:37 am

bigmudcake wrote: Please take security seriously.  Here are suggestions,
I can assure you we take Security very seriously. 
We have lost serious levels of sleep simply confirming whether threats are indeed correct and then creating fixes where necessary.
We communicate across boundaries, as in this case with former members of Team Mambo at http://www.mamboguru.com (and thanks for their assistance).


bigmudcake wrote: 1.  A dedicated webpage  listing all current security vunerabilities,  and the appropriate fixes.
As it happens this is on the todo list, but as always this takes time to do and the priority has been coding, so this project has not been started yet unfortunately.  But rest assured it is something that I have personal interest in seeing created.


bigmudcake wrote: 2.  If risk is high  then instructions on patching users current version should be given,  along with which version the fix has been(will be) incorporated.  never force people to upgrade,  as it leave sites flapping in the breaze as they have the extra task of seeing if the upgrade breakes anything else.  (example -  upgrading from 1.0.7 breaks the mosCE editor,  plus a few other things as well.)
* The usual case when a security vulnerability is found - of any nature, is that an analysis is done to secure the codebase from future attacks of similar nature and additional hardening is taken.
* By its nature a dedicated security patch to fix a specific vulnerability would only secure you from that particular vulnerability and would not have the additional security hardening that occurs - as occured in this case, where additional hardening has indeed been introduced.  This hardening then lessens the likelihood of future attacks occurring - premptive defense.
* Releasing dedicated security patches to address High to Critical level threats will probably encourage users to maintain earlier versions of the codebase, meaning that they will not benefit from security to Medium to Low level threats.
* Some fixes are dependent on a large number of fixes over a large number of files, that are dependent on Code introduced in progressive releases of the codebase, so there is no garuantee that a suggested fix will properly protect the earliest versions of the codebase, which may not have the other dependent code.  The only way this can be assured is by using Full Releases.
Cumulative use of Specific security patches may not be as effective as the Full Release.
* Most users do not have the ability, proffiency or confidence to introduce specific security code changes themselves
* If you release Security Patch files with the security changes (not simply posting the fixes for users to code themselves), you would most probably need to release versions for every version of the codebase to cover any differences between them, which would be about as much work for the Team as releasing a Full release.


bigmudcake wrote: 3. Never tell people just to wait until the next version,  again it leaves sites flapping in the breaze, vunerable to hackers.ime.
Our response is predicated by the nature of a security vulnerability found.  For Critical Level threats (our highest rating) we work towards a 24-48 hour release response.
For High Level or lesser bugs a longer period maybe taken dependent on the nature of the threat - as occurred here, where the nature of the threat meant its severity was to a certain extent limited.
Last edited by stingrey on Mon Jun 26, 2006 7:58 am, edited 1 time in total.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
brian
Joomla! Master
Joomla! Master
Posts: 12781
Joined: Fri Aug 12, 2005 7:19 am
Location: Leeds, UK
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by brian » Mon Jun 26, 2006 6:11 am

Rey

Justy wanted to say that all of your hard work (and long hours) in ensuring that Joomla! 1.0x is as secure as possible and that reposnes to security issues are dealt with in such a timely and efficient manner is appreciated.

I have seen so many projects that just sit back and ignore these issues ......
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Re: [FIXED SVN] SQL Injection vulnerability Joomla! 1.0.9 Stable

Post by stingrey » Mon Jun 26, 2006 8:00 am

I also am cognizant that part of the problem is that we havent clearly communicated our Security and Stability principles, guidelines and mandate - this does cause some uncertainty.

So it is also on my todo list to clearly outline on dev.joomla.org the project Joomla! Security and Stability principles.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D


Locked

Return to “Security - 1.0.x”