[PATCH AVAIL.] OpenSEF 2.0.0 RC5
Moderator: General Support Moderators
Forum rules
- RobS
- Joomla! Ace
- Posts: 1366
- Joined: Mon Dec 05, 2005 10:17 am
- Location: New Orleans, LA, USA
- Contact:
[PATCH AVAIL.] OpenSEF 2.0.0 RC5
There was a bug reported that looked like a security vulnerability in OpenSEF 2.0.0 RC5. We later confirmed that it was indeed a security vulnerability and notified the developers who responded immediately and released a patch to fix the problem. Please download it from the link below and follow the simple instructions to update your OpenSEF installation.
Please see: http://www.open-sef.org/news/security_p ... ensef.html
Please see: http://www.open-sef.org/news/security_p ... ensef.html
Last edited by RobS on Wed Jul 19, 2006 5:08 am, edited 1 time in total.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions
- nathandiehl
- Joomla! Champion
- Posts: 6044
- Joined: Fri Aug 19, 2005 3:03 pm
- Location: Indiana, USA
- Contact:
Re: Security patch for OpenSEF 2.0.0 RC5
Note: It is not clear in the OpenSEF documentation what to do with the patch.
In case you don't know, you will upload the patched file to:
components/com_sef
and overwrite the old file of the same name.
In case you don't know, you will upload the patched file to:
components/com_sef
and overwrite the old file of the same name.
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503
http://nathandiehl.com | Find out what makes me tick
http://nathandiehl.com | Find out what makes me tick
- kavaXtreme
- Joomla! Intern
- Posts: 74
- Joined: Tue Dec 13, 2005 9:56 pm
- Location: Oregon
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
What version number will display once the patch has been installed?
- Bible Yellow Pages: http://www.bibleyp.com
-
- Joomla! Enthusiast
- Posts: 203
- Joined: Fri Aug 04, 2006 12:38 pm
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
The link for the security patch isn't working.
-
- Joomla! Fledgling
- Posts: 4
- Joined: Wed Dec 21, 2005 2:06 pm
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
OpenSEF have moved to a new site - try and search from:
http://forum.j-prosolution.com/news-discussion/
Btw, patch is only required if you downloaded RC5 before the patch was released. The current release contains the patch already. Instructions on how to apply the patch available on the forum.
http://forum.j-prosolution.com/news-discussion/
Btw, patch is only required if you downloaded RC5 before the patch was released. The current release contains the patch already. Instructions on how to apply the patch available on the forum.
- nathandiehl
- Joomla! Champion
- Posts: 6044
- Joined: Fri Aug 19, 2005 3:03 pm
- Location: Indiana, USA
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
Here is a link to download:
http://projects.j-prosolution.com/proje ... ensef.html
OpenSEF 2.0.0-RC5_SP2 is the newest version (as of 25-Sep-2006)
http://projects.j-prosolution.com/proje ... ensef.html
OpenSEF 2.0.0-RC5_SP2 is the newest version (as of 25-Sep-2006)
If you're new to Joomla, Please read Anna's Joomla! Tips: http://forum.joomla.org/viewtopic.php?t=5503
http://nathandiehl.com | Find out what makes me tick
http://nathandiehl.com | Find out what makes me tick
- kavaXtreme
- Joomla! Intern
- Posts: 74
- Joined: Tue Dec 13, 2005 9:56 pm
- Location: Oregon
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
Thanks, Nate. I thought that was the case, but since this is a security issue I really wanted to get that extra confirmation.
- Bible Yellow Pages: http://www.bibleyp.com
- Predator
- Joomla! Ace
- Posts: 1823
- Joined: Wed Aug 17, 2005 10:12 pm
- Location: Germany-Bad Abbach
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
Version on the forge has this included, also have fixed the link , so the old link with open-sef.org in it works now again.aaanativearts wrote: The link for the security patch isn't working.
The "Humor, Fun and Games" forum has more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team
.....
Malicious tongues say we have this WG right from the start, they call it core team
- C.Ludwig
- Joomla! Apprentice
- Posts: 26
- Joined: Wed Sep 20, 2006 10:38 am
- Location: München
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
Hi,
for those who are still using OpenSEF 2.0.0 RC5 < SP2:
here is the latest link where you can find the patch and information about how to install it:
http://projects.j-prosolution.com/en/pr ... ensef.html
Christian
for those who are still using OpenSEF 2.0.0 RC5 < SP2:
here is the latest link where you can find the patch and information about how to install it:
http://projects.j-prosolution.com/en/pr ... ensef.html
open-sef.org seems no longer to exist!?Predator wrote: ... so the old link with open-sef.org in it works now again.
Christian
-
- Joomla! Explorer
- Posts: 268
- Joined: Mon Sep 19, 2005 8:49 pm
- Location: Empangeni, South Africa
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
When I uploading the patched file I got:
Fatal error: Cannot instantiate non-existent class: josopensefconfig in /usr/www/users/empangzf/dev/components/com_sef/sef.php on line 26
So I just put the old one back until I can get some help on the above error message.
I also see that open-sef.org doesn't load. Any idea why?
Fatal error: Cannot instantiate non-existent class: josopensefconfig in /usr/www/users/empangzf/dev/components/com_sef/sef.php on line 26
So I just put the old one back until I can get some help on the above error message.
I also see that open-sef.org doesn't load. Any idea why?
Web Energy - Website Designs and Joomla Development in Empangeni, South Africa - http://www.webenergy.co.za
-
- Joomla! Champion
- Posts: 5924
- Joined: Tue Aug 23, 2005 1:56 pm
- Location: South coast, UK
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
Yes, read the 6th post in this thread.justinw wrote:
I also see that open-sef.org doesn't load. Any idea why?
Last edited by gws on Tue Jan 09, 2007 8:21 pm, edited 1 time in total.
https://gadsolutions.biz Electrical services
https://electrical-testing-safety.co.uk Testing services
https://electrical-testing-safety.co.uk Testing services
-
- Joomla! Fledgling
- Posts: 3
- Joined: Sun Feb 04, 2007 11:35 am
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
C.Ludwig wrote: Hi,
for those who are still using OpenSEF 2.0.0 RC5 < SP2:
here is the latest link where you can find the patch and information about how to install it:
http://projects.j-prosolution.com/en/pr ... ensef.html
open-sef.org seems no longer to exist!?Predator wrote: ... so the old link with open-sef.org in it works now again.
Christian
It does not work again... anybody help...
-
- Joomla! Champion
- Posts: 5924
- Joined: Tue Aug 23, 2005 1:56 pm
- Location: South coast, UK
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
https://gadsolutions.biz Electrical services
https://electrical-testing-safety.co.uk Testing services
https://electrical-testing-safety.co.uk Testing services
-
- Joomla! Fledgling
- Posts: 3
- Joined: Sun Feb 04, 2007 11:35 am
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
this link is not still working ....robs...dear...RobS wrote: There was a bug reported that looked like a security vulnerability in OpenSEF 2.0.0 RC5. We later confirmed that it was indeed a security vulnerability and notified the developers who responded immediately and released a patch to fix the problem. Please download it from the link below and follow the simple instructions to update your OpenSEF installation.
Please see: http://www.open-sef.org/news/security_p ... ensef.html
I could not find the security patch anywhere...
anybody help
Last edited by mexmet on Mon Feb 05, 2007 9:13 am, edited 1 time in total.
- Predator
- Joomla! Ace
- Posts: 1823
- Joined: Wed Aug 17, 2005 10:12 pm
- Location: Germany-Bad Abbach
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
The "Humor, Fun and Games" forum has more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team
.....
Malicious tongues say we have this WG right from the start, they call it core team
-
- Joomla! Fledgling
- Posts: 3
- Joined: Sun Feb 04, 2007 11:35 am
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
thank you predator, ı have already found it.
ıt was just careless question.
ıt was just careless question.
-
- Joomla! Apprentice
- Posts: 5
- Joined: Tue May 08, 2007 2:26 pm
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
Hi,
Does this patch fix the reported issue with $mosConfig_absolute_path? Sorry if this is a dumb question but I'm a little confused. A friend of mines site has just been hacked by those muppets from Turkey (Bella and Bodyguard). She built it using Joomla and we think it might have been hacked through OpenSEF. I'm also using this module. We're both on RC5 SP2.
Can anyone help to clarify?
Does this patch fix the reported issue with $mosConfig_absolute_path? Sorry if this is a dumb question but I'm a little confused. A friend of mines site has just been hacked by those muppets from Turkey (Bella and Bodyguard). She built it using Joomla and we think it might have been hacked through OpenSEF. I'm also using this module. We're both on RC5 SP2.
Can anyone help to clarify?
- Predator
- Joomla! Ace
- Posts: 1823
- Joined: Wed Aug 17, 2005 10:12 pm
- Location: Germany-Bad Abbach
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
Yes this fixed it but if you have RC5 SP2 the fix is allready in that version. Patch is only for RC5 and RC5 SP1 Versionmaggiespaws wrote: Hi,
Does this patch fix the reported issue with $mosConfig_absolute_path? Sorry if this is a dumb question but I'm a little confused. A friend of mines site has just been hacked by those muppets from Turkey (Bella and Bodyguard). She built it using Joomla and we think it might have been hacked through OpenSEF. I'm also using this module. We're both on RC5 SP2.
Can anyone help to clarify?
The "Humor, Fun and Games" forum has more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team
.....
Malicious tongues say we have this WG right from the start, they call it core team
-
- Joomla! Apprentice
- Posts: 5
- Joined: Tue May 08, 2007 2:26 pm
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
Predator, thanks for responding to this.Predator wrote:Yes this fixed it but if you have RC5 SP2 the fix is allready in that version. Patch is only for RC5 and RC5 SP1 Versionmaggiespaws wrote: Hi,
Does this patch fix the reported issue with $mosConfig_absolute_path? Sorry if this is a dumb question but I'm a little confused. A friend of mines site has just been hacked by those muppets from Turkey (Bella and Bodyguard). She built it using Joomla and we think it might have been hacked through OpenSEF. I'm also using this module. We're both on RC5 SP2.
Can anyone help to clarify?
The site was already running RC5 SP2. As a result of the hacking, they changed the configuration.php file and chown'd all the files and directories used by OpenSEF (in both the components dirs) to a system user rather than the ftp user. This has stopped us repairing the damage until the hosting company resolves this.
I'm writing all of this because I am a little concerned that there is still a security hole with this component. As of yet, I have no conclusive proof that OpenSEF provided the route in (I'm awaiting more detailed logs from the hosting company), but the fact that other than configuration.php, the only files affected were those related to OpenSEF seems more than just a coincidence. I'm happy to try and provide you with any log data etc if you would like to look into this yourself.
I have read around on the internet and have come across one user who said that the security risk was only exposed if the component was installed but not in use? Is this true? At the time of the attack, my friend had it installed but not switched on.
I am soon to go live with a new site using OpenSEF (it is a great component btw) but would feel happier knowing I was safe to do so.
Sorry for the long post.
Regards,
Steve
- Predator
- Joomla! Ace
- Posts: 1823
- Joined: Wed Aug 17, 2005 10:12 pm
- Location: Germany-Bad Abbach
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
If OpenSEF is not actived the request will be forwarded to the buildin includes/sef.php so very strange, so more infos via PM if you got the results of the logfiles would be good, also this hacking sounds like RFI (remote file injections) which only is possible if you have Register Globals = On and allow_furl_open = On, maybe you can check this also.
The "Humor, Fun and Games" forum has more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team
.....
Malicious tongues say we have this WG right from the start, they call it core team
-
- Joomla! Apprentice
- Posts: 5
- Joined: Tue May 08, 2007 2:26 pm
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
No logs back form the hosting company yet, but thanks for your advice. I'll look at those two settings you've mentioned and report back.
Steve
Steve
-
- Joomla! Apprentice
- Posts: 5
- Joined: Tue May 08, 2007 2:26 pm
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
Still no logs, but a phpinfo() has showed that allow_url_fopen is set to on (is this what you meant in your post when you typed allow_furl_open ?). Incidentally, register globals was off and RG set to 0 in the configuration.phpPredator wrote: If OpenSEF is not actived the request will be forwarded to the buildin includes/sef.php so very strange, so more infos via PM if you got the results of the logfiles would be good, also this hacking sounds like RFI (remote file injections) which only is possible if you have Register Globals = On and allow_furl_open = On, maybe you can check this also.
I can't overwrite the setting using .htaccess as the php version is 4.4.4 and according to the php site it can only be changed in the main php.ini.
We're emailing the hosts to ask them to change this.
- sambob
- Joomla! Enthusiast
- Posts: 120
- Joined: Sat Jul 22, 2006 2:19 am
- Location: Australia
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
Hi all...
just need a bit of clarification on this patch.
I have just installed OpenSEF 2.0.0-RC5_SP2
Does this (the latest version require the patch?
I am thinking that _SP2 is ok, but unsure.
Thanks in advance
just need a bit of clarification on this patch.
I have just installed OpenSEF 2.0.0-RC5_SP2
Does this (the latest version require the patch?
I am thinking that _SP2 is ok, but unsure.
Thanks in advance
https://reddustsnow.com/
"Don't look at what is and ask 'Why?'; look at what isn't and ask 'Why Not!'.."
"Don't look at what is and ask 'Why?'; look at what isn't and ask 'Why Not!'.."
- sambob
- Joomla! Enthusiast
- Posts: 120
- Joined: Sat Jul 22, 2006 2:19 am
- Location: Australia
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
I have found the answer.
SP2 (Service Pack 2) includes the security patch.
SP2 (Service Pack 2) includes the security patch.
https://reddustsnow.com/
"Don't look at what is and ask 'Why?'; look at what isn't and ask 'Why Not!'.."
"Don't look at what is and ask 'Why?'; look at what isn't and ask 'Why Not!'.."
-
- Joomla! Enthusiast
- Posts: 158
- Joined: Thu Nov 24, 2005 7:44 pm
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
hey there....i just looked and the joomla i am working on is running
OpenSEF
Version 2.0.0-RC2
where do i get the patch? anybody know? :-*
SEF patch extended version 1.0a
is also installed
OpenSEF
Version 2.0.0-RC2
where do i get the patch? anybody know? :-*
SEF patch extended version 1.0a
is also installed
Last edited by teclive on Tue Jul 10, 2007 6:12 pm, edited 1 time in total.
- rliskey
- Joomla! Guru
- Posts: 828
- Joined: Tue Jun 06, 2006 7:41 am
- Location: California, Germany, Norway
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
Use Google!where do i get the patch? anybody know?
http://www.google.com/search?q=opensef
Number 4 in Google listing:
http://sourceforge.net/project/showfile ... _id=171110
-
- Joomla! Enthusiast
- Posts: 158
- Joined: Thu Nov 24, 2005 7:44 pm
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
sorry for the delay....found the mod thanks
-
- Joomla! Intern
- Posts: 71
- Joined: Mon Oct 31, 2005 2:50 pm
- Contact:
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
trying to find the patch, but its a) not on the site or b) site suggested is down
-
- I've been banned!
- Posts: 21
- Joined: Wed Dec 19, 2007 10:36 pm
-
- Joomla! Enthusiast
- Posts: 158
- Joined: Thu Nov 24, 2005 7:44 pm
Re: [PATCH AVAIL.] OpenSEF 2.0.0 RC5
what is the safest way to update from a Version 2.0.0-RC2 to a Version 2.0.0-RC5 _SP2
just overwrite files or uninstall and reinstall? it is imperative that i dont lose the existing urls, i will be shot on the spot if hat happens
thanks muchly in advance
just overwrite files or uninstall and reinstall? it is imperative that i dont lose the existing urls, i will be shot on the spot if hat happens
thanks muchly in advance