Joomla! Discussion Forums

Hi guys,

Firstly, I apologize that I am in a slightly sour mood.

I upgraded to 1.0.13, wasn't able to login. Downgraded (repleaced files with 1.0.12 ones). Same. Invalid password. Mainly because I use CB - check out this post - http://www.joomlapolis.com/component/op ... /Itemid,1/

Now, what do I do? I don't have a recent database backup. I can reupgrade to 1.0.13, but that leaves a lot of stuff broken.

Is there an easy way to downgrade?

I'm posting something I posted at joomlapolis as well.

God Bless

-Suraj
-----------------------

WoW is all I can say...

I replaced files with 1.0.12 files, and now I can't even login to the admin.

WHY? Why did this happen? :[ - Seriously, why such a big change in the 1.0 series from the joomla team? This is just ridiculous.

Sure, I should have made a backup. Yes. I should have. But so far, the Joomla core has been a breeze, something easy to use.

Sorry for the rant guys... but ouch :'[

CB posted a notice not to upgrade to 1.0.13 if you are using CB.


Post the error message, if any.

It simply gives an invalid login error - note that I did login once with 1.0.13 installed to the admin, but not the main site (I got an invalid password . I'm not the only one facing this problem, it should be just about any CB user.

Try to login with a wrong password, that's the popup error I get.

So you can login into the administrator but not the front end of your site?
If so, a temporary (but really bad) work around until CB releases an update would be to disable the CB Login module and enable the default login module. Yes, you would lose some of the CB stuff but it works for now. I haven't seen or heard of any successful downgrades from 1.0.13. Upgrades are usually a one way thing.

Now, by theory, since the upgrade from 1.0.12 to 1.0.13 didn't modify any of the database, you could overwrite everything in your site with a full 1.0.12 stable package (except the configuration.php). You might have tried this and this might not work at all. Again, it's by theory and in the end it might cause more damage.

Apparently Joomla 1.0.13 has a different way of using passwords, which is causing the problem. Basically, I need to change every password back to MD5 encryption in the database, as 1.0.13 doesn't use normal MD5 anymore.

So basically, Old passwords/login scripts no longer work, and the passwords are already changed - 1.0.13 edited the database.

Now with 1.0.12, I can't login to the admin.

This has never been done by joomla - giving an update without backward compatability. Check the CB Post I linked to. They are strongly cautioning users NOT TO UPGRADE.

I figured this would be like a normal joomla upgrade.

Sorry for the rant. I either have to reupgrade to 1.0.13 with things broken, or no one can login anymore... not even me.

I've also had the same problem with CB and it's a serious issue. It's hard to believe that it wasn't tested with CB before it was released.

In any case, I successfully downgraded by replacing all the updated files from 1.0.13 with a backup of my 1.0.12 files. I also deleted the jos_users table and replaced it with a backup version. Luckily, I have phpBB integrated using the eLearningforce plugin so user accounts are synchronized and any accounts created since my last backup (less than 24 hours old) will be added through that component. I think I'm luckier than most Joomla users though, since incompatibility with CB will have a far-reaching impact.

Everbody with a bridge from SMF does have the same problem. Upgrading to 1.0.13 breaks the bridge login! Changing back to 1.0.12 give invalid userpasswords! I found a solution to reset the working passwords trough the adminbackend of SMF afther changing backwards to 1.0.12! So don't upgrade yet is my advise!!

First of all, it appears that Sam Moffatt (Pasamio), a Joomla! developer, posted a fix for this in the CB forums.

Here's Sam's message and I took the liberty of attaching the same file for those who need it:


Secondly, I'm still not certain what is going on. The CHANGELOG.php file indicates that this password change has been in the SVN for a month. It has been talked about. Anyone in the world can access the SVN - most especially the testing team, so, I am still a bit confused.


Regardless, it appears Sam has developed a fix for CB. We'll keep working through one issue, at a time, one day, at a time, as a community and, dang it!, if we keep our heads on straight and keep passion in check, I'm certain we will get there, All together, As a Whole,

Peace,
Amy

Edit: I removed the attachment since Sam just made an update. It is best to go to JoomlaPolis where Sam is helping folks in this thread.

now i know..
who's the BEST 

Also worth noting that Beat from community builder is the one who originally suggested and requested the change to password storage

Louis

Ha... that's funny... You'd think he'd be prepared for it.

Let's not pull each other's hairs here

There's a fix, and so I'm happy.

Thanks for the help & God Bless '_^

Suraj -

You asked a question:


You got an answer:


And, you learned a lesson, too!


Amy

Hmm...

Kinda I guess. I never expected changes like this to happen in updates/patches :[ - which isn't your (the joomla team) fault really. And it's my duty to make sure such big components work.

But yeah, I'll work on the backup stuff now

The login works now, so thanks to Sam =]

God Bless '_^

Suraj -

I do appreciate your point that there is absolutely no sense looking for someone to blame. Solutions are not always elegant but they are very much appreciated. Thanks to the J! developers for building the more secure login, as requested. And, hats off to Sam for helping with a temporary fix until a permanent CB solution is available.

And yes, backups + restores!
Amy

Also as an FYI ... the reason Beat suggested the change is a good one.  And it has to do with your site's security. 

MD5 has always -- or mostly been thought of as a one way hashing algorithm.  You MD5 a string and there is no real way to go back from the hash to the clear text string.  For this reason it is used by lots of systems as the hashing mechanism for passwords. 

Over the last six months we have seen explosive growth in something called a "rainbow table" which is essentially a huge database of clear text strings and words matched up with MD5 strings.  Think of it as a dictionary of sorts.  With this, I can take the MD5 strings of almost all short passwords (how many of us REALLY have long ones) and get a clear text password in seconds or sooner. 

The modification of adding the random salt string means that your password  string is now padded by 16 characters (in 1.0) and 32 characters (in 1.5) which makes use of these "rainbow tables" much much more difficult.

This isn't about name calling or any of that stuff, I was just surprised to see that the Community Builder team was unaware or unprepared for this change given that Beat was the one who raised the call to arms to make the change   No biggie, and I thank him for the heads up on the matter.

Louis

Hi all,

I don't think anyone will say anything against hardening the mechanism for handling passwords in Joomla, whoever suggested it and whoever actually made it. Everyone was taken by surprise by this release, which timing was obviously made to match that of 1.5.

I think two things should be made very rapidly:

1 - issue a warning NOT to upgrade to CB, SMF bridges, and probably other bridges (other forums, galleries, flyspray,phplist ?) users before updates to said components is available (assuming the commercial ones have not been abandonned recently by their author)

2 - Provide some Joomla-side way of handling things better : the logical thing to do for me would be to provide a backend switch of some kind to decide which password to use. Remember that is what MYSQL did when they changed password mechanism. Maybe that needs to be V 1.0.14 ?

Best regards

I upgrade to 1.0.13, got the login problems too (nothing new) , but im having a lot of menu problems. 1.0.13 upgrade changes in some way the DB ?.

The fix doesnt work? Just gets a blank 403 error page here after applying it.

From now on all releases are handled by Quality and Testing team hopefully this will not happen again.

Sorry, but it is strange that Joomla 1.5 RC1 and Joomla 1.0.13 appear the same day. But there is not much attention given to 1.0.13 and no warning whatsoever about what has been changed in the security setup .... with consequential problems (and yes - benefits).

I am glad I was prewarned by one of my commercial vendors.....  - you know, the guys that are called stupid, greedy or what ever else if they are unhappy with the GPL interpretation of the Joomla core team....

Where? Link me.

abo -

You "seem" very angry. Let's break down your fifth post in the Joomla! forums:

1. "Sorry, but it is strange that Joomla 1.5 RC1 and Joomla 1.0.13 appear the same day." Why is that "strange?" What do you mean by that?

2. "But there is not much attention given to 1.0.13" By whom? Who did not give J! v 1.0.13 attention? What attention is needed that has not been provided?

3. "no warning whatsoever about what has been changed in the security setup" No warning for whom? The members of the Quality and Testing team certainly had warning. Any third party developer who wanted to track development has access to the SVN - it's public. You can get it; I can get it. The change log indicated that one month ago the security change was made. Hey - don't take my word for it - I might be *one of them* - read the file yourself. Do you know where that file is at? It is where it's always at - in the root of your Joomla! directory, a file named CHANGELOG.php. Open it and read the log. There was a MONTH of warning. Is that enough?

4. "with consequential problems (and yes - benefits)."  Do you understand that there are over 1,800 extensions in the Joomla! Extensions Directory? Developers are provided that resource for free to reach the community, but they, themselves, are responsible to pay attention to core development. The core team can't chase every single developer down. But, the core team does make the SVN available where the core code is being worked on. They provide instructions how to get to get the code. They are here, ready to answer questions developers might have. Anyone can join the Quality and Testing Team if they want to get closer to the action. It's free to join! When there are problems after an upgrade (and, there always are!) we try to work together *politely* to get each issue resolved. We try not to point fingers, either, because that doesn't help.

5. "I am glad I was prewarned by one of my commercial vendors." Are you suggesting someone from Joomla! org should contact you to notify you of changes? There are now over 120,000 forum members and quite possibly over 1,000,000 Joomla! websites. What prewarning do you think you should have gotten? If it was a warning about an extension the developer, themselves, provided, then, that's great! The developer *is* the source of such information for his or her extensions. But, if it's information in general you are after, you have to get more involved!

6. "you know, the guys that are called stupid, greedy or what ever else if they are unhappy with the GPL interpretation of the Joomla core team...." Wow. What nasty stuff. What really nasty accusations you have tossed into this forum. The forum where you came and took free, as in beer, and free, as in liberty, software and not one time in any of your five posts did you say thanks!. Do you realize that there are people here who would be hurt and offended by those comments? Why would you do that?

There is nothing wrong with commercial software. Perhaps you might take time this week to read Alledia's blog where each day he is interviewing a third party developer who provides commercial software for this community. Estimates I have heard indicate approximately 15% of the extensions in the JED are licensed using non-GPL compatible software licenses. Those developers are considering a GPL-compatible license IF their extensions require it.  Joomla! is licensed using the GPL. Always has been.

Please, in the future, consider there are people in here - people who gave to you - and hold back the accusations of name calling and the spreading of anger. We don't need it. We need people in this community who are willing to assume responsibility for their own needs, at minimum, and cooperate with one another.

Amy

Although I agree with Amy in most what was said in her last post, I have to say that releasing both lines at the same time gives an impression that something was rushed. I just hope that this kind of ideas won't find followers any more.

There are also translations to be made - try to stretch a small team to translate them both in time. There will be more times like this one, that tweaks in extensions will have to be made also, and not all developers have time to do what was named as their responsibility. Some of them contribute code they have written in their spare time and it happens (often) that they won't have spare time for a few months. But they have users of their work who use Joomla! without computer science degree and SVN sounds like rainbow table to them.

There are also things impossible to prepare before core release (at least with 1.0.x line practices) but this I'll save for another topic in more appropriate forum.

We *can* do better! I won't deny that - we've got plenty of room to grow as a community.

But, when we start to turn to Joomla! org with anger and accusations - with a sense of our own entitlement - things stop working in a hurry. It's an open source project and we are a community. If we notice problems, we have two choices - help fix it, or accept it. But, no room for demands and accusations.

I guess we are all frustrated.  Huh? Time to encourage one another.

And, yes, Roman - there are more appropriate places where teams can hash things out. Thank you for your encouraging post.

Amy

Edit - added the following:

Most importantly:
The v 1.0.13 Announcement
Forum Announcement
Place to say "Thanks!"

And, I am sorry. 

Heh... just got this notification from Rob...

http://forum.joomla.org/index.php?topic=194232.new#new

http://www.joomla.org/content/view/3677/1/

It would have been nice to have these on Saturday...but I'm sure the team was more focused on the 1.5 release..

Or, we could get involved and ask questions if we don't understand why things are done the way they are. We could be careful not to make assumptions or expect perfection. And, maybe we could be patient if we have to wait a few days. Dig in, ourselves? Ask if we need help? Always slow to make accusations, never before having facts, remembering, always, we did not pay for the software. No one has to come in and praise the work. But, could we try to be nice?

Amy

True. And many people do...



We're all human...



What??????? Wait a few days!!!??? With baited breath the entire Joomla community pounces upon each new release like it's Christmas all over again with expectations of Joomla being even greater than it already is. A few days could possibly kill a few Joomla users. 



Yes... NICE is the word of the day. Above all else, be nice.

Gosh, thanks for that laugh. Very much, in fact. 

Amy