The Joomla! Forum ™



Forum rules


Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.



Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 96 posts ]  Go to page Previous  1, 2, 3, 4  Next
Author Message
PostPosted: Tue Jun 20, 2006 7:14 pm 
Joomla! Intern
Joomla! Intern

Joined: Mon Sep 05, 2005 7:45 pm
Posts: 74
A while back I added frontend editing capability to mambo (at the time) weblinks

I ported the functionality from the content component
In process I may have patched this hole ...
so my sites are not vulnerable.... I think.... can't be sure

running the exploit seems to fail

I can post my com_weblinks if anyone wants to take a look at it
It is currently for 1.0.7 - i should have one for 1.0.9 on a test site as well

EDIT:
looks like the exploit still works but only for users that are Editors or higher - that's ok though  ;D
the fix is kind of useless to me because of the need to be able to submit from the frontend :(


You do not have the required permissions to view the files attached to this post.


Last edited by irstudio on Tue Jun 20, 2006 9:29 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Tue Jun 20, 2006 8:06 pm 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Fri Aug 19, 2005 2:23 pm
Posts: 2230
Location: The Netherlands
eyezberg wrote:
Rey, any idea about ETA for the patch? thanks

Other question: can this still be accessed if there's no published link to com_weblinks? by using the option in the url?

Yes, that will still work.
Have a look at the code i posted above. That should keep you safe at least untill there's a patch:
http://forum.joomla.org/index.php/topic ... #msg366017

_________________
Adam van Dongen - Developer

- Blocklist, ODT Indexer, EasyFAQ, Easy Guestbook, Easy Gallery, YaNC & Redirect -
http://www.joomla-addons.org - http://www.bandhosting.nl


Top
 Profile  
 
PostPosted: Wed Jun 21, 2006 12:20 pm 
stingrey wrote:
We are working as quickly as possible to complete and release 1.0.10 as soon as possible - at last check my watch said 2am.


Rey -

Take care of yourself. Really. You give us SO MUCH for SO LONG. These things happen and are not anyone's fault. You do NOT need to work yourself to death to fix it. You will repair it just like you have any other problem we had. And, there will be another one. It's the world we live in. Nature of the beast.

We appreciate you, Rey.

Amy


Last edited by AmyStephen on Wed Jun 21, 2006 12:23 pm, edited 1 time in total.

Top
  
 
PostPosted: Wed Jun 21, 2006 3:07 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Sun Aug 28, 2005 5:10 pm
Posts: 238
Location: Montréal,Qc
Hi,

is this fix work also for Joomla?

reference: http://mamboxchange.com/forum/forum.php?forum_id=7505

open /components/com_weblinks/weblinks.php and add the following two lines
Code:
$row->title = $database->getEscaped($row->title);

$row->catid = $database->getEscaped($row->catid);

_________________
Lenamtl


Last edited by lenamtl on Wed Jun 21, 2006 3:27 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Jun 21, 2006 3:20 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Sep 10, 2005 10:31 pm
Posts: 842
Hi Lenamtl,

lenamtl wrote:
is this fix work also for Joomla?
reference: http://mamboxchange.com/forum/forum.php?forum_id=7505
[...]


Yes, it does work for Joomla!.
Line numbers have changed. Insert the code you posted before this fragment (line 307):
Code:
if (!$row->check()) {
   echo "<script> alert('".$row->getError()."'); window.history.go(-1); </script>\n";
   exit();
}


However, install the official Joomla! fix as soon as it comes out. There are more issues which will be adressed by J! 1.0.10.

Best,
Enno

_________________
We may not be able to control the wind, but we can always adjust our sails


Last edited by friesengeist on Wed Jun 21, 2006 3:22 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Wed Jun 21, 2006 3:44 pm 
Joomla! Intern
Joomla! Intern

Joined: Mon Sep 05, 2005 7:45 pm
Posts: 74
looks like it works fine

I think as long as you put it after :
Code:
        $row = new mosWeblink( $database );
        if (!$row->bind( $_POST, 'published' )) {
                echo "<script> alert('".$row->getError()."'); window.history.go(-1); </script>\n";
                exit();
        }


but before:
Code:
        if (!$row->check()) {
                echo "<script> alert('".$row->getError()."'); window.history.go(-1); </script>\n";
                exit();
        }

you'll be ok

it probably wouldn't hurt to have these two lines included in 1.0.10 as well??


Top
 Profile  
 
PostPosted: Wed Jun 21, 2006 4:00 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Sep 10, 2005 10:31 pm
Posts: 842
irstudio wrote:
it probably wouldn't hurt to have these two lines included in 1.0.10 as well??


They are, but in a more suitable place: in weblinks.class.php.

The method how it is done has only one drawback: weblinks with an apostrophe will be shown e.g. as "Enno\'s Weblink" with an escaped "\'". I would suggest using a local variable for title in weblinks.class.php (the title will be escaped again before storing in the db by $row->store, so no security thread here):

Code:
$this->catid = intval($this->catid);
$title = $this->_db->getEscaped( $this->title );

/** check for existing name */
$query = "SELECT id"
. "\n FROM #__weblinks "
. "\n WHERE title = '$title'"
. "\n AND catid = $this->catid"
;


Best,
Enno

_________________
We may not be able to control the wind, but we can always adjust our sails


Top
 Profile  
 
PostPosted: Wed Jun 21, 2006 4:24 pm 
Joomla! Intern
Joomla! Intern

Joined: Mon Sep 05, 2005 7:45 pm
Posts: 74
ok I see it here:
http://forge.joomla.org/integration/vie ... iew=markup
look for the line:
Code:
// SQL injection protection


so if you want to patch your installation
weblinks.class.php around line 85

right before:
Code:
/** check for existing name */

is as good a place as any

PS
@friesengeist:
so if I understand correctly,
creating a local variable will prevent the slashes from being added twice
in that case it looks pretty good to do it your way


Top
 Profile  
 
PostPosted: Wed Jun 21, 2006 5:02 pm 
Joomla! Intern
Joomla! Intern

Joined: Mon Sep 05, 2005 7:45 pm
Posts: 74
I have been looking at the changes in 1.0.10SVN

looks like anti spoofing code has been moved out of com_content
and made generally usable by other components

this raises an interesting issue
how do we secure our 3rd party components against these header injection and other spoofing attacks
now that 1.0.10 will include a way to do so.

looks like there are two parts

1) in your mycomponent.html.php file
in ANY functions that SUBMIT FORMS
first add a variable in the beginning of the function
Code:
                 // used for spoof hardening
                      $validate = josSpoofValue();
 
then add another hidden field to the form:
Code:
        <input type="hidden" name="<?php echo $validate; ?>" value="1" />
 

2) in your mycomponent.php file
in functions that handle form submissions like SAVE  or SEND EMAIL functions
add this right after global variable definitions
Code:
   // simple spoof check security
   josSpoofCheck();   


Top
 Profile  
 
PostPosted: Thu Jun 22, 2006 2:05 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Aug 18, 2005 1:08 pm
Posts: 104
Location: Cleveland, OH
Code:
if (function_exists('josSpoofValue')) $validate = josSpoofValue();


Code:
<?php if (function_exists('josSpoofValue')) { ?><input type="hidden" name="<?php echo $validate; ?>" value="1" /><?php } ?>


Code:
if (function_exists('josSpoofCheck')) josSpoofCheck();


This would make your component backwards compatible with Joomla! versions that don't contain that API.  I know, it would be a good idea to force people to upgrade, but to do that would be like pulling a "Microsoft."

_________________
Tom Parkison
Rochen Staff Member
http://www.rochen.com


Top
 Profile  
 
PostPosted: Fri Jun 23, 2006 9:07 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Fri Jun 23, 2006 9:04 pm
Posts: 45
My first post here - would like to say that i love Joomla and really appreciate the hard work that has obviously gone into it...

However i am very security paranoid and am wondering if there is an estimated date for an official patch for this exploit...or when will 1.0.10 be released?

Thankyou  :) :D ;D


Top
 Profile  
 
PostPosted: Sat Jun 24, 2006 2:28 am 
the Joomla dev team would rather  finish a monolithic update than recode 1 file and release it as a intrem patch....
High level sql injection threat and no mention of it on the NEWS side of the site...

Please tell me how any of this relates to Joomla's core statement
Quote:
The name Joomla is a phonetic spelling for the Swahili word "Jumla", which means "all together" or "as a whole". It was chosen as the entire team behind Mambo was unanimous in their commitment to protecting the interests of the project and community


Top
  
 
PostPosted: Sat Jun 24, 2006 2:38 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Fri Aug 19, 2005 12:51 pm
Posts: 427
Location: Argentina
Quote:
High level sql injection threat and no mention of it on the NEWS side of the site...


Agree 100%

Have a nice day
Gustavo Raúl Aragón

_________________
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org


Top
 Profile  
 
PostPosted: Sat Jun 24, 2006 8:43 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Thu Aug 18, 2005 7:13 am
Posts: 16546
I personally don't think it is smart to post critical security threats on the news site when an official patch hasn't been released. When 1.0.10 will be released, the news item will follow on the frontpage. Also the people who have subscribed to the announcements forum here wil get an notice as well. This patch is due out soon, Rey will make the announcement when it is out.

_________________
Joomla forum global moderator.

Have fun


Top
 Profile  
 
PostPosted: Sat Jun 24, 2006 9:28 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Mon Aug 15, 2005 4:36 pm
Posts: 2756
Location: Marikina, Metro Manila, Philippines
Joomla! 1.0.10 will be released within the next 24-48 hours.

It has been sent to testing teams for final approval for release.



Until then the suggested temporary fixes in this thread are all valid.

Also note that although this is a [High Level] threat it works in only certain circumstances and is not a `full` vulnerability.
For a [Critical Level] Threat we would have undergone a much quicker release cycle - however the nature of this threat has afforded us more time to complete 1.0.10 and to test it more thoroughly.

_________________
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D


Top
 Profile  
 
PostPosted: Sat Jun 24, 2006 12:16 pm 
Tonie and Rey -

Thank you for your response. What you are saying makes sense. We are all a bit paranoid and want to protect our Joomla! sites, so, the growing concern was a result of the SVN post, but no word on 'what's next.' However, Tonie, your note very logically explains why. And, Rey, yours is an encouraging response and a perfectly acceptable timeframe.

One word on end-user community comments - it makes me very proud to know that openness is acceptable here in the forums when people feel they must speak. I am also proud of the openness I have seen, here. The posts were polite and encouraging us to evolve to a "better" place. I am most *especially* proud of the rapid, honest and unemotional response of two of our core team members to these concerns.

Thank you for your continued patience with us in the end user community as we sometimes become anxious and speak!

Amy  :)


Top
  
 
PostPosted: Sat Jun 24, 2006 12:44 pm 
Tonie wrote:
I personally don't think it is smart to post critical security threats on the news site when an official patch hasn't been released. When 1.0.10 will be released, the news item will follow on the frontpage. Also the people who have subscribed to the announcements forum here wil get an notice as well. This patch is due out soon, Rey will make the announcement when it is out.

Security through obscurity is no security at all. Malevolent internet users and groups may check core software sites for announcements, but in truth they look at other security websites and resources to swap information.  The fact of the matter at hand is Joomla is an opensource project, highly popular and multiple users have contributed to a patch. By not disclosing the security threat the entire community is at risk. It should be the sole discretion of the site administrators to take the approperate actions they deem necessary, along with links to the various suggested user work arounds while the developers work on an official patch

Reason I say such things is for the past week I have stared at the boards off and on, never even noticed the SQL injection threat till last night. When I did, I woke people out of bed at another design firm so they could alert their clients of the threat and the patch.


Last edited by digitaldentist on Sat Jun 24, 2006 2:23 pm, edited 1 time in total.

Top
  
 
PostPosted: Sat Jun 24, 2006 11:03 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10525
Location: Leeds, UK
Digitaldentist i do agree with you that "Security through obscurity is no security at all" and that the general practice regarding security alerts and fixes here at joomla is a little bit different from the norm for an open source project.

In reality the problem is that Joomla! has broken beyond the realm of the geek "open source or nothing" market place and is a mainstream product with mainstream users. As such it is probably correct that a security release/info policy such as the one that is in place right now is correct.

For myself I am subscribed to this entire forum section so that I recieve email notification of any posts and there have been numerous ones on this issue together with fixes and explanations.

(there have also been posts of security issues with 3rd party extensions here that have not been acknowledged)

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
PostPosted: Sun Jun 25, 2006 12:34 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Thu Jan 26, 2006 11:36 pm
Posts: 71
Location: Los Angeles, California, United States
Thanks very much for your quick attention and both version of the temporary fix websmurf, it worked perfect on my install :)

_________________
-Tyler D.
Web Developer & Integrator: http://www.LasVegasExtremes.com


Last edited by tyler on Sun Jun 25, 2006 1:16 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Sun Jun 25, 2006 7:09 am 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Wed Sep 14, 2005 5:59 am
Posts: 113
Ciao:
Please could you send an email to the sever at Url appear in bottom of securityfocus in your language?
They need know about this problem. And wee need stop this abuse sending mails to hostings.
Thank you!
Best Regards!

Bettinz wrote:
sorry for my english, but i'm italian  ;)
i've read this vulnerability in Mambo, and i ask to you if Joomla is protected against that
http://www.securityfocus.com/archive/1/437496


Top
 Profile  
 
PostPosted: Mon Jun 26, 2006 1:47 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Fri Aug 19, 2005 12:51 pm
Posts: 427
Location: Argentina
I still dont get why you stop using the patch way to patch security holes (like in Mambo) , instead of a totally new realease to fix several errors , its not logic at all if you want to keep joomla secure..

Have a nice day
Gustavo Raúl Aragón

_________________
Comunidad Joomla: Maintenance, support, translation and distribution for the Joomla!. Help site online. Member of the Spanish [es_ES] Joomla Translation Team. http://comunidadjoomla.org


Last edited by gustavo on Mon Jun 26, 2006 1:52 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Jun 26, 2006 2:44 am 
Joomla! Intern
Joomla! Intern

Joined: Thu Dec 08, 2005 8:38 am
Posts: 60
I find it a little puzzling that the joomla team gives more priority on their website to  "International PHP Magazine Features Joomla! 1.5" then a high security security risk that has the potential to have all current joomla sites hacked.

Please,  please,  please.  I hate sifting through subforums  to find verbose answers to security risks.

Please take security seriously.  Here are suggestions,

1.  A dedicated webpage  listing all current security vunerabilities,  and the appropriate fixes.

2.  If risk is high  then instructions on patching users current version should be given,  along with which version the fix has been(will be) incorporated.  never force people to upgrade,  as it leave sites flapping in the breaze as they have the extra task of seeing if the upgrade breakes anything else.  (example -  upgrading from 1.0.7 breaks the mosCE editor,  plus a few other things as well.)

2. Never tell people just to wait until the next version,  again it leaves sites flapping in the breaze, vunerable to hackers.


Being a mainstream product is even more reason to make security issues less obscure,  big companies like Microsoft learnt this the hard way,  Does the Joomla team really need to learn the hard way too ?


In the meantime I thank the Mambo website for alerting me to the security issue (thus prompting me to hunt through this forum) and providing the fix that I can apply to all my existing websites with various versions of joomla in the shortest possible time.


Last edited by bigmudcake on Mon Jun 26, 2006 2:52 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Jun 26, 2006 2:55 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 12:38 am
Posts: 13388
Location: Sydney - Australia
Dev Status is always available here: http://dev.joomla.org/content/blogcategory/21/86/ and by subscribing to the announcement section of these forums you will immediately be notified of any important releases/security fix etc etc.

Subscribe here: http://forum.joomla.org/index.php?actio ... ;board=8.0

_________________
Brad Baker - Follow me on Google+
http://www.rochen.com - Joomla! Hosting, the correct way.
http://www.joomlatutorials.com <-- Joomla Help & Tutorials
^Now with Joomla 2.5 and Joomla 3.0 Tutorials


Top
 Profile  
 
PostPosted: Mon Jun 26, 2006 2:56 am 
BigMudCake < like the name, BTW > -

I have to laugh - because the core team can't win! Some of us gave Mitch a hard time because he did not have his article "International PHP Magazine Features Joomla! 1.5"  published for the community to see. I was happy to see it out on the News site. < But, do you think I emailed him to thank him? Nope. > So, poor guy, got in trouble when it wasn't there, now, because it is. It doesn't pay to be on the core team -- anything, actually, not a dime and no respect!

Also - hopefully, you read this thread because I believe the core team has already responded to each of your points. There may be a difference of opinion on exactly how to handle things, but Tonie and Rey did answer the questions you have asked -- above your post five or six posts.

Tonie responded to why they do not want to highlight security issues.

2. No one is being forced to upgrade -- and there are instructions in this thread -- and the instructions have been "smiled upon" by Rey, who is in charge of maintenance. So, sites should not be flapping in the breeze, as it were!

3. No one has been asked to wait, either, see Rey's response in #44.

As far as "sifting through subforums" - see Tonie's response in #43 where he recommends subscribing to the announcements forum.

None of us like security scares and no one is to blame -- least of all the core developers -- so, let's read what is available and try to keep emotion in check. These guys absolutely are taking security seriously and have since I signed up in November. You might consider how that note sounds to those who have been working hard *for free* *for us* *for awhile!*

Take care, okay?
Amy

BTW - that was another core team member who cares about security!  8)


Last edited by AmyStephen on Mon Jun 26, 2006 2:59 am, edited 1 time in total.

Top
  
 
PostPosted: Mon Jun 26, 2006 3:59 am 
Joomla! Intern
Joomla! Intern

Joined: Thu Dec 08, 2005 8:38 am
Posts: 60
I think its because I find it a little frustrating. 

I brought it up once before about lack of information regarding security issues off the main website,
but unfortunately it turned into a joomla zealot [drive] thread instead of rising above the joomla/mambo
politics.

http://forum.joomla.org/index.php/topic ... #msg219779


I do applaud especially stingrey  who is always works so hard coding AND finds the time to publish security info
and fixes.  I appreciate this more because his attitude about security issues raises above all the politics
and he gives the info we need.

But for the more mainstream user, busy website maintainers,  and new users.  They shouldnt have to try and
track down where the security info is posted,  especially when its also includes all the posts and opinions
of everyone on how to solve it.  It can get very confusing,  and take alot of time.

There is no mention on the main website on even where security info may be found,  or how it is organised.

I am especially worried that if we didnt have Rey,  then we might get no info at all in a timely manner.


Top
 Profile  
 
PostPosted: Mon Jun 26, 2006 4:05 am 
User avatar
Joomla! Master
Joomla! Master

Joined: Fri Aug 12, 2005 12:38 am
Posts: 13388
Location: Sydney - Australia
Your suggestion was noted then, as it is now.

_________________
Brad Baker - Follow me on Google+
http://www.rochen.com - Joomla! Hosting, the correct way.
http://www.joomlatutorials.com <-- Joomla Help & Tutorials
^Now with Joomla 2.5 and Joomla 3.0 Tutorials


Top
 Profile  
 
PostPosted: Mon Jun 26, 2006 5:12 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Mon Aug 15, 2005 4:36 pm
Posts: 2756
Location: Marikina, Metro Manila, Philippines
Upgrade to Joomla! 1.0.10 Security Release!
http://www.joomla.org/content/view/1510/74/

_________________
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D


Top
 Profile  
 
PostPosted: Mon Jun 26, 2006 5:37 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Mon Aug 15, 2005 4:36 pm
Posts: 2756
Location: Marikina, Metro Manila, Philippines
bigmudcake wrote:
Please take security seriously.  Here are suggestions,

I can assure you we take Security very seriously. 
We have lost serious levels of sleep simply confirming whether threats are indeed correct and then creating fixes where necessary.
We communicate across boundaries, as in this case with former members of Team Mambo at http://www.mamboguru.com (and thanks for their assistance).



bigmudcake wrote:
1.  A dedicated webpage  listing all current security vunerabilities,  and the appropriate fixes.

As it happens this is on the todo list, but as always this takes time to do and the priority has been coding, so this project has not been started yet unfortunately.  But rest assured it is something that I have personal interest in seeing created.



bigmudcake wrote:
2.  If risk is high  then instructions on patching users current version should be given,  along with which version the fix has been(will be) incorporated.  never force people to upgrade,  as it leave sites flapping in the breaze as they have the extra task of seeing if the upgrade breakes anything else.  (example -  upgrading from 1.0.7 breaks the mosCE editor,  plus a few other things as well.)

* The usual case when a security vulnerability is found - of any nature, is that an analysis is done to secure the codebase from future attacks of similar nature and additional hardening is taken.
* By its nature a dedicated security patch to fix a specific vulnerability would only secure you from that particular vulnerability and would not have the additional security hardening that occurs - as occured in this case, where additional hardening has indeed been introduced.  This hardening then lessens the likelihood of future attacks occurring - premptive defense.
* Releasing dedicated security patches to address High to Critical level threats will probably encourage users to maintain earlier versions of the codebase, meaning that they will not benefit from security to Medium to Low level threats.
* Some fixes are dependent on a large number of fixes over a large number of files, that are dependent on Code introduced in progressive releases of the codebase, so there is no garuantee that a suggested fix will properly protect the earliest versions of the codebase, which may not have the other dependent code.  The only way this can be assured is by using Full Releases.
Cumulative use of Specific security patches may not be as effective as the Full Release.
* Most users do not have the ability, proffiency or confidence to introduce specific security code changes themselves
* If you release Security Patch files with the security changes (not simply posting the fixes for users to code themselves), you would most probably need to release versions for every version of the codebase to cover any differences between them, which would be about as much work for the Team as releasing a Full release.



bigmudcake wrote:
3. Never tell people just to wait until the next version,  again it leaves sites flapping in the breaze, vunerable to hackers.ime.

Our response is predicated by the nature of a security vulnerability found.  For Critical Level threats (our highest rating) we work towards a 24-48 hour release response.
For High Level or lesser bugs a longer period maybe taken dependent on the nature of the threat - as occurred here, where the nature of the threat meant its severity was to a certain extent limited.

_________________
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D


Last edited by stingrey on Mon Jun 26, 2006 7:58 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Jun 26, 2006 6:11 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Fri Aug 12, 2005 7:19 am
Posts: 10525
Location: Leeds, UK
Rey

Justy wanted to say that all of your hard work (and long hours) in ensuring that Joomla! 1.0x is as secure as possible and that reposnes to security issues are dealt with in such a timely and efficient manner is appreciated.

I have seen so many projects that just sit back and ignore these issues ......

_________________
"Exploited yesterday... Hacked tomorrow"
Blog http://brian.teeman.net/
Joomla Hidden Secrets http://hiddenjoomlasecrets.com/


Top
 Profile  
 
PostPosted: Mon Jun 26, 2006 8:00 am 
User avatar
Joomla! Hero
Joomla! Hero

Joined: Mon Aug 15, 2005 4:36 pm
Posts: 2756
Location: Marikina, Metro Manila, Philippines
I also am cognizant that part of the problem is that we havent clearly communicated our Security and Stability principles, guidelines and mandate - this does cause some uncertainty.

So it is also on my todo list to clearly outline on dev.joomla.org the project Joomla! Security and Stability principles.

_________________
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic This topic is locked, you cannot edit posts or make further replies.  [ 96 posts ]  Go to page Previous  1, 2, 3, 4  Next



Who is online

Users browsing this forum: No registered users and 6 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group