The Joomla! Forum ™

Congrats Rey, on getting the new release out so quickly

While I understand the concerns expressed by some who have posted here, I think perhaps we should all remember that ALL open source code is vulnerable. It is vulnerable because it is out there for everyone to see and everyone to play with. Joomla could have dozens of devs  analysing the code for security and it would still never be 100% absolutely secure because there are potentially tens of thousands of script kiddies trying to break it or find some way to make it behave in an unexpected way.  ALL popular open source code is a target for the guys who are out to do mischief (and worse).

To see the level of dedication of the team in keeping the code as secure as possible you only have to go check the reputable advisories - then compare the number and severity to other popular OS scripts.  Not only have there been very few, but the responsiveness with which they have been handled is a real credit to the team and to Rey in particular.  Notice of a potential vulnerability came out on 19th June - a week later this is fixed with a new release out. bigmudcake talks about Microsoft learning the hard way - well, even Microsoft with their legion of full-time paid employees doesn't get security fixes out this quickly!  Well done Team Joomla!

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

Would like to acknowledge the assistance of Elpie and Counterpoint [of http://www.mamboguru.com fame] for their assistance and keeping us abreast of possible security vulnerabilities in the Joomla!/Mambo sphere.

Also a security change/hardening of mosgetparam introduced in 1.0.10 came from the work of Counterpoint on Mambo, will blog about this shortly as it may affect 3pd extensions.

But thanks to them for their assistance in the true open source spirit.

_________________
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach

Thanks to the good guys!

_________________
Jean-Marie Simonet / infograf · http://www.info-graf.fr
Multilanguage in 2.5: http://help.joomla.org/files/EN-GB_multilang_tutorial.pdf
---------------------------------
Joomla Translation Coordination Team • Joomla! Production Working Group

This is why I have always said news for the sake of just having news is not always the smartest thing to do...
Because when there IS something important to say it can easily get lost, ignored or becomes the focus of complaints because between the time something important has been identified (usually here on the forums) and the time a clear and well written press release is made someone always manages to get a dig in!

I agree with the decision not to ANNOUNCE a security flaw until the fix was complete!
No need to alert the users of a flaw that they can't fix. It only serves to create fear and worry until a solution and it informs any script kiddy that hey there is something to hack tonite!

EVERY security system has a flaw... The only reason we have any semblence of security is because those flaws are not widely known. One thing to have a really smart hacker find one but it's another thing to tell the not smart ones how it's done!

As for releasing individual fixes as Mambo does I disagree! That might help the users already running it but those users who are going to make a new install are installing an insecure version unless a full release incorporating the fixes is available!
These users would then have to go hunting for individual fixes after initial install to have a secure install...

It is not something I hope the J! team ever does!
This method is much better because not only does it provide a quick upgrade for current users but at the same time there is a full package release that makes any new users secure as well!

Congratulations and many thanks to the whole Team - and especially Rey - for this release! That's really great, security holes fixed and also fixed many more issues with 1.0.9 in one week! Your hard work and the time that has gone into this is really very much appreciated!

Now after most arguments on when to publish security related information have be said, I'd like to ask a question on what to publish here on the forums. Apparently there have been quite some people asking on how to secure their installations before the new package was out. As there was only the one know vulnerability (com_weblinks) discussed on the forum, I decided not to talk about the other holes here, in case some crackers or script kiddies are reading these forums as well (which I believe they do). But then, on the other hand, they are also able to see all changes done to SVN, which already might give them some hints on where in the code are some more security issues.
That said, I think it wouldn't be to bad to post such information also on this forum. So for the next security issue (I hope there won't be any :-)), would it be OK to publish this information here? (Of course only on how to fix the hole... I would have done so, but just didn't dare to  )

Best,
Enno

_________________
We may not be able to control the wind, but we can always adjust our sails

Maybe a suggestion is to have a dedicated Security Team, similar to the Documentation Team,  so the burden of security releases and tracking of issues doesnt keep falling with Rey. 

The the security Team can have a "closed" forum to discuss unpublised security issues,  and a webpage that summerizes all published security issues and their suggested fixes.  The Team needs to also understand that there are alot of modified joomla sites out there who cant simply upgrade,  plus the risk of breaking 3rd party software in the course of upgrading. 

Maybe The Security Team can focus on 2 areas; longer term future hardening of the code and exploit testing, and short term patches to thawt publicised attacks.

I mean't your suggestion to add security information to the frontpage has been noted.

There is a 'Security' team, their forum is here: http://forum.joomla.org/index.php/board,179.0.html If you would like to help, please let us know, and before you ask, yes, they do have a private 'closed' forum that they use.

In case you missed the reasons behind Rey's (and his team's) efforts: WE TAKE SECURITY VERY SERIOUSLY

_________________
Brad Baker - Follow me on Google+
http://www.rochen.com - Joomla! Hosting, the correct way.
http://www.joomlatutorials.com <-- Joomla Help & Tutorials
^Now with Joomla 2.5 and Joomla 3.0 Tutorials

Maybe I was a little harsh,  so I removed my comment further up,  I want to try and keep discussion constructive.

I looked at the forum mentioned at http://forum.joomla.org/index.php/board ... tml,&nbsp; It seems more related to bug tracking, Quality and Testing,  then security.

Brad - Just a question....
It may already be in place...Is there an email account to send security alerts to the security team?
Something like Security@Joomla.org so that anyone finding an exploit can notify the security team without also giving a public announcement of how to exploit it? LOL


I know people want fast action on security issues but I would point out that it has been about a day (maybe two) since this was identified as a security threat to Joomla and the teams already have a fix out...
You don't get much better than that on the ACTION front if you ask me...

I mean any quicker would mean the patch was out before the hole was found! LOL


And anyone who wants to help in regards to security the best way anyone can help is (if you have the skills) to hack your own site (or a test site even) and try to identify these holes BEFORE some malicious grunt finds them and ruins a site!

There are many tools out there that people can use. I won't name them here (if anyone from the security team wants to know, PM me but I will only tell actual members of the security team and I will check before I reply!!!!!)

but if the script kiddies can find them so can you!

Bottomline is you really have to be dilligent about your security, even one hole (Dangling 777 for instance) makes all the security patches in the world useless!all it takes is one babd PHP script to be written to a folder and it can be executed giving access to the hacker!

And while I'm all for doing anything to make Rey's life 10 times easier I think the team has done a bang up job under rushed circumstances to get us this patch as quick as they could!
Maybe if we could find these holes for them before the script kiddies got their hands on the exploits they wouldn't have to stay up until 4am scrambling to get a desperate fix in...

For what it's worth I think that everyone (and especially Rey) has done a stunning job in getting this new version out in such a short time. 

I used to run a support team investigating and fixing important customer bugs in software amounting to a couple of million lines of code. It's not easy. Having a litigious customer breathing down your neck or thousands of users in the case of Joomla! doesn't make it any easier. It is also frighteningly easy to fix one problem and introduce another.

I don't know to what extent third party add-ons are tested for compatibility with new versions but this must make things much more difficult for Rey and the others.

Something that i have been wondering about for a while is this: What happens with components which are derived from core components? Are they fixed at the same time? Do the developers get notified of changes to the core components? Are they left with vulnerabilities until the developers get round to fixing them?

I imagine that the core developers probably review each others code formally or informally but I am guessing that third party components are not code reviewed at all. Is that what happens? (or rather doesn't)

A final point because Joomla! is open source it probably does make easier for the malicious to find exploits. But there are many more eyes to find them from our side too (that is the Joomla! developers and users).  If Joomla! were to be closed it would be harder but not impossible for the malicious to find exploits. Consider Microsoft and Windows. Windows is a closed development system but those motivated to find exploits still manage to do it with monotonous regularity.

Thanks again for the new version. 

Nick

_________________
http://kotarski.co.uk :: http://www.lifechangesnow.co.uk

Security falls within the mandate of the Stability Team.  All releases within the Stability mandate fall under the heading of Stability Releases which are general bug fixes of issues in the Stable codebase or the heading of Security Releases which are made in deirect response to discovered Security vulnerabilities.



While the idea of a dedicated Security Team is essentially sound, more teams means requires more manpower and more management overhead. 
While it may seem ludicrous to propose that an Open Source project may have manpower issues, one must remember involvement in an OS project at any level requires a large degree of time and committment of individuals - something that comes from peoples free time.  Also there is the matter whether people have the expertise and knowledge to be appropriate - especially in regard to deep knowledge of the Joomla! codebase.  Lastly related to this issue of whether the individual(s) truly believe in the concept of Open Source.



To a certain extent the duties/requirements of General Bug Fixing and Security Fixing are essentially the same, so a dedicated Security team  may be slightly redundent.  Also we have a separate Quality & Testing Working Group who aids the work of the Stability & Development groups by testing the codebase.




We already have private areas for such discussions and sometimes, security threats reported in these forums are moved to this private area.




As I have discussed previously, this is something that is on my personal todo list.




While I understand and appreciate the problems, I outline my response to this here:
http://forum.joomla.org/index.php/topic ... #msg373406

Also basically a separate Security only patch would basically represent a new trunk of the codebase that we would also need to cater for.
Also a site running a lesser version with all Security patches only, will not necessarily be as secure as the latest Full Release.

Saying this idea (security only patch) is something we will examine and consider to determine if it is workable within the resources that we have available. 

Please remember, that there is no abundance of sound and good ideas, unfrotunately we are faced with very scarce and limited resources that due to practical considerations reduce what we are able to achieve

_________________
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach

Actually this email address is in fact active and is our dedicated security email address and something that we monitor closely.
However, to a certain extent we limit its visibility as we do not want people to use it as a general support address.  It is usually given out if a person demonstrates a likelihood of having demonstrated a security vulnerability.




Any White Hat assistance is always fully appreciated and in fact there are already several community members who have aided in finding security vulnerabilities before anyone else and reporting them to the team for addressing.  And for this we thank them for their invaluable assistance they have provided and urge them and others to continue this kind of extremely invaluable assistance

_________________
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach

The Joomla! core team does not specifically test compatability with extensions.  We rely very much on developers keep track of stability work done and reporting these too us.  Also some extension developers have worked very closly with us to address possible comaptability issues.  These kind of linkages are invaluable to us, as there is no way we can test all extensions and do not have the knowledge of extensions as their own developers/testers do.  One example of the strong deveopmental relationship with a 3rd party extension is the Community Builder project.  The CB development team are also invovled in Joomla! working groups and are some of the most active testers of the stability work done.  They have also made there own testing group for testing of Beta releases of the Stability codebase.
And we welcome and encourage any and all extension developers to engage in these kind of inter-relationships with Prject Joomla! they can only benefit both parties and the users they serve - our door is always open.




This is something only Extension developers can comment on, however, we would hope that they track developments within the Stability codebase closely.  Do we (Project Joomla!) contact them directly, the answer is no, it is simply too difficult to monitor all the extension developers that now exist, such a push communication relationship would strain the resources Project Joomla! has available, the only way it can work is via a pull communication relationship with extension developers monitoring developments themselves and giving Project Joomla! direct feedback.




Yes this occurs, but obviously it could be far better and hopefulyl new intiatives can be put in place to address code quality far better.

_________________
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach

This is the dedicated Secuirty Forum, so this is the most appropriate place to post security concerns.
We are happy to post vulnerability fixes - though it would not be in the best interest to post full information on how to exploit a vulnerability.

If in doubt I would post the information in these forums, and if the matter is to sensitive for publc consumption, then it will simply be moved into secure/private areas of the forum.

From our point of view we would rather have the information so we can examine and where necessary address them.

_________________
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach

Thanks for the clarification. Of course I'm only talking about fixes!


Not a problem at all. Maybe I didn't point out clear enough that I was talking about holes that already have been fixed in SVN, so it's only things you know about

Thanks again for the info!
Best,
Enno

_________________
We may not be able to control the wind, but we can always adjust our sails

First of all THANK YOU for getting the security update out so Fast!
Greatly Appreciated!!!

One Serious Concern- Don't you think posting exactly which files are vulnerable and to what type of attack on the front page is a HUGE Security Problem for anyone who doesn't drop by here daily? 

I mean seriously, it looks like you just gave every hacker in the universe the Keys to every Mambo and Joomla site and server who didn't get the message and upgrade immediately.  You had me at MUST UPGRADE...  I Freaked when I saw the "where to go and how to exploit it" section.

Please take this post as it is intended as a security concern being raised and I'm paranoid as I've already lost one server this year to hackers. But, that's another story...

Thanks again for Taking care of the security fixes that fast! 
Eric

_________________
Imagination is more important than knowledge.

Eric - you do understand vulnerabilities and specifics are listed on Secunia, and other security monitoring websites? < http://secunia.com/advisories/20746/ > Amy

Hi Amy,
Thanks for the link. Yes I am aware that there are many places on line to learn about security vulnerabilities.

My main concern is for the Joomla community at large, particularly everyone who doesn't work on websites daily. Many Joomla users may not come here until they decide they want to upgrade something on their site.  Meanwhile, there's directions on where to exploit their "old" site on the front page of Joomla.

The point I was trying to make is that we edit that type of detailed info out of the forums. Why would we want it on the front page?

Thanks for your feedback,
Eric

_________________
Imagination is more important than knowledge.

I hear you, Eric. My only point < just to make you MORE concerned...lol > is that the sites that the "bad guys" visit is most likely the other one -- and, if you checked the links on that page -- the guns are there and loaded. Don't know the answer -- and your post was really nicely worded -- I appreciate that. Cheers! Amy

Hi Eric,
This kind of information falls into the "damned if you do, damned if you don't" category. Once vulnerabilities are known they are posted all over the Net and its usually not hard to find the code used to exploit them. Everyone running a site *should* be aware of this and its up to each person to ensure they keep up with any security alerts. People do not need to visit this site - all they need to do is subscribe to security alerts so they get notification as soon as fixes are released.

The information on the frontpage of Joomla is there to alert users to the need to upgrade. There is nothing there that isn't already in a large number of places on the Net. First, SANS, Secunia, Netcraft and probably a whole heap more security sites have published the vulnerabilities, as have hacker sites. The vulnerabilities are mentioned in blogs and in online media sites. If a Joomla user stumbles across any of these then comes here and doesnt see the information, we get two things happening - loads of questions in the forums, and others who just assume that if Joomla hasnt mentioned it then the threat can't be real/significant/whatever.

The Joomla team asks everyone to subscribe to the email notifications. It's up to the users to do this.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

Yes we understand the concerns, but we feel there is a greater duty to inform the community that vulnerabilities exist and that they need to upgrade to teh latest versions for their safety.

It should be noted that nowhere on the forums or on any of the official sites is the exact method and mechanics of how to exploit a vulnerability discussed.  The news item about 1.0.10 and its changelog only describes generally that an exploit/vulnerability exists.  Even in this thread, there is no direct mention of the attack delivery method. 

However, the method/mechanism of attack is explained in full detail in various online security sites.



Unfortunately we see no other alternative method of informing our community of users that they should upgrade to the latest versions, apart from making it very clear on the frontpage of the official site.  Even if one took a more discreet method of simply emailling all registered users on this forum, I would garuantee that there are blackhat individuals who are members of this forum.

And as pointed out there is more detailled information about exploits all over the web.

_________________
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me
Partner, Business Development & Project Manager, Event Manager, Sports Coach

For this reason everyone is urged to subscribe to the security announcement threads so that they will at least get an email when something comes up.


I don't think there is a problem announcing a security threat...Where the danger is, is in posting the actual means of attack publicly.
Simply saying there is a vulnerability in fileA is not really helpful to a hacker because he also needs to know WHAT the vulnerability is and how it is attacked!

your never going to stop the really smart hackers...They can easily download a PHP coded Release and scan it for known exploits in PHP or engineer new exploits because they know what they are doing...

The real problem is once a tool is created by these REAL HACKERS that allows unskilled hackers (or script kiddies) to make attacks without really knowing the first thing about how it is done!

This most recent vulnerability was found almost a year ago...
It's taken this long for it to get widely used which means some posting of the exploit or a script made to take advantage of it has finally reached the script kiddies!

Notifying the public about a vulnerability is not dangerous. Telling the public how it is done is!
Saying there is a vulnerability should be enough to inform users to make a current backup of their system and save it locally...
then they are safe until a patch is released because they at least can get back to unhacked status!

Hello Everyone,
thanks for all the responses. Points All very well taken! 
It was the script kiddies I had in mind when I made my first post. But I guess your right; "damned if you do damned if you don't." I certainly found it motivating... I migrated seven sites to Joomla on Tuesday. 
As my security guy always likes to point out "the Only way to completely secure a site is to unplug the server."

Once again, a big thanks to team Joomla for the best CMS on the planet!
Eric

_________________
Imagination is more important than knowledge.

LOL Actually Eric...unplugging the Cat5 cable and the keyboard works just as well as shutting it off! LOL

Actually that is not enough. It has to be off at the mains and unplugged unless it is in a shielded room like the spooks use. 

Nick

_________________
http://kotarski.co.uk :: http://www.lifechangesnow.co.uk

I'm on .10, and the apostrophe error is still there.  It shows up in the display when web links are listed, as well as showing up in the admin side in three places: The list of weblinks, in the editor for the weblink and in that screen's ordering lists.  You can remove the escape characters by using "stripslashes( )".

In /components/com_weblinks/weblinks.html.php, find "$row->title" and replace it with "stripslashes($row->title)" - 1 time.

In /components/com_search/search.html.php, find "$row->title" and replace it with "stripslashes($row->title)" - 1 time.

In /administrator/components/com_weblinks/admin.weblinks.html.php, find "$row->title" and replace it with "stripslashes($row->title)" - 3 times.

In /administrator/components/com_weblinks/admin.weblinks.html.php, "$lists['ordering']" and replace it with "stripslashes($lists['ordering'])" - 1 time.

Tried this fix but no joy, I still get the escaped apostrophe

1.0.10 Stable , CB 1.0, Joomlaboard 1.1.2 Stable

Which one? The fix from the last post, or the one from post #36? #36 should work. You need to save the weblinks that have backslashes again though, without the backslashes...

_________________
We may not be able to control the wind, but we can always adjust our sails

No, I didn't try #36 yet. Can you clarify where in weblinks.class.php this code should go? Thanks!

Sure, here you are:

Old:
[code=weblinks.class.php, line 85]
// SQL injection protection
$this->catid = intval($this->catid);
$this->title = $this->_db->getEscaped( $this->title );

/** check for existing name */
$query = "SELECT id"
. "\n FROM #__weblinks "
. "\n WHERE title = '$this->title'"
. "\n AND catid = $this->catid"
;
$this->_db->setQuery( $query );
[/code]

New:


Hope this helps

_________________
We may not be able to control the wind, but we can always adjust our sails