The Joomla! Forum ™

Hello,

This morning, after some users reported hacking of their site, the log files they supplied led me to the discovery of a vulnerability in version 1.2.4. t, u and w of my URL rewriting component, sh404SEF. Under a particular set of circumstances, remote code execution was possible. I apologize for the initial error in code which allowed this, and to the webmasters that suffered hacking due to this vulnerability.

I have uploaded some fixed files on Joomlacode at http://joomlacode.org/gf/project/sh404sef/frs/?action=FrsReleaseBrowse&frs_package_id=313. Here are the details :

A - If you are using version up to and including 1.2.4s, there is no vulnerability, and you don't need to take any action

B - If you are using version 1.2.4.t or version 1.2.4.u, you need to patch your site :
  1 - download the appropriate patch file from Joomlacode (sef404_t2.zip for version 1.2.4.t, or sef404_u2.zip for version 1.2.4.u)
  2 - unzip this file on your local computer. This will give you a sef404.php file
  3 - upload using ftp this new file into the /components/com_sef directory, replacing the existing one
 
C - if you are using version 1.2.4.w, you can either patch your site, or uninstall/re-install new version w2

Patching your site :
  1 - download the appropriate patch file from Joomlacode (sef404_w2.zip)
  2 - unzip this file on your local computer. This will give you a sef404.php file
  3 - upload using ftp this new file into the /components/com_sef directory, replacing the existing one
 
Installing new version :
  1 - Download the new version 1.2.4.w2, availaible now from Joomlacode
  2 - using joomla installer, UN-install the current w version from your site
  3 - using Joomla installer, install the new version w2
  All settings and data will be preserved in this process
 
Very soon I'll be releasing next version of sh404SEF, which has a set of security features to avoid this kind of issues as much as possible, not only in sh404SEF, but in other Joomla extensions.
In the mean time, I hope damages will be limited. I'll be available as much as can be at http://extensions.siliana.net/en/ to assist you in the upgrade process if needed.

Your sincerely 
shumisha

_________________
See all about sh404sef at http://dev.anything-digital.com/
I don't reply to PM anymore. Thanks for using sh404SEF

Is the Vulnerablilty also in the Artio SEF component?

Thanks,
Jef

Hi,

Yes. Artio has released a new version, a few days after I informed them Joomsef was vulnerable. However, last time I checked they did not listed it as a security release.

Regards

_________________
See all about sh404sef at http://dev.anything-digital.com/
I don't reply to PM anymore. Thanks for using sh404SEF

how about ARTIO JoomSEF v1.3.1 version...?
have to upgrade it..?

Hi

Artio Joomsef is currently at version 2.2.4. If you have a version 1.3.1, it must be very old ! and yes, anything below Joomsef version 2.2.2 must be upgraded. Please refer to official Joomla extensions security list available from Joomla FAQ

Regards

_________________
See all about sh404sef at http://dev.anything-digital.com/
I don't reply to PM anymore. Thanks for using sh404SEF