The Joomla! Forum ™





Post new topic Reply to topic  [ 5 posts ] 
Author Message
PostPosted: Tue Oct 23, 2007 8:50 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 20, 2005 3:15 pm
Posts: 508
Hello,

This morning, after some users reported hacking of their site, the log files they supplied led me to the discovery of a vulnerability in version 1.2.4. t, u and w of my URL rewriting component, sh404SEF. Under a particular set of circumstances, remote code execution was possible. I apologize for the initial error in code which allowed this, and to the webmasters that suffered hacking due to this vulnerability.

I have uploaded some fixed files on Joomlacode at http://joomlacode.org/gf/project/sh404sef/frs/?action=FrsReleaseBrowse&frs_package_id=313. Here are the details :

A - If you are using version up to and including 1.2.4s, there is no vulnerability, and you don't need to take any action

B - If you are using version 1.2.4.t or version 1.2.4.u, you need to patch your site :
  1 - download the appropriate patch file from Joomlacode (sef404_t2.zip for version 1.2.4.t, or sef404_u2.zip for version 1.2.4.u)
  2 - unzip this file on your local computer. This will give you a sef404.php file
  3 - upload using ftp this new file into the /components/com_sef directory, replacing the existing one
 
C - if you are using version 1.2.4.w, you can either patch your site, or uninstall/re-install new version w2

Patching your site :
  1 - download the appropriate patch file from Joomlacode (sef404_w2.zip)
  2 - unzip this file on your local computer. This will give you a sef404.php file
  3 - upload using ftp this new file into the /components/com_sef directory, replacing the existing one
 
Installing new version :
  1 - Download the new version 1.2.4.w2, availaible now from Joomlacode
  2 - using joomla installer, UN-install the current w version from your site
  3 - using Joomla installer, install the new version w2
  All settings and data will be preserved in this process
 
Very soon I'll be releasing next version of sh404SEF, which has a set of security features to avoid this kind of issues as much as possible, not only in sh404SEF, but in other Joomla extensions.
In the mean time, I hope damages will be limited. I'll be available as much as can be at http://extensions.siliana.net/en/ to assist you in the upgrade process if needed.

Your sincerely 
shumisha

_________________
See all about sh404sef at http://dev.anything-digital.com/
I don't reply to PM anymore. Thanks for using sh404SEF


Last edited by shumisha on Tue Oct 23, 2007 8:53 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Nov 05, 2007 3:37 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Mon Jun 12, 2006 7:38 pm
Posts: 8
Is the Vulnerablilty also in the Artio SEF component?

Thanks,
Jef


Top
 Profile  
 
PostPosted: Mon Nov 05, 2007 6:23 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 20, 2005 3:15 pm
Posts: 508
Hi,

Yes. Artio has released a new version, a few days after I informed them Joomsef was vulnerable. However, last time I checked they did not listed it as a security release.

Regards

_________________
See all about sh404sef at http://dev.anything-digital.com/
I don't reply to PM anymore. Thanks for using sh404SEF


Top
 Profile  
 
PostPosted: Thu Dec 27, 2007 2:09 pm 
Joomla! Intern
Joomla! Intern

Joined: Fri Aug 04, 2006 5:45 am
Posts: 73
Location: indonesia
how about ARTIO JoomSEF v1.3.1 version...?
have to upgrade it..?


Top
 Profile  
 
PostPosted: Thu Dec 27, 2007 2:19 pm 
Joomla! Guru
Joomla! Guru

Joined: Sat Aug 20, 2005 3:15 pm
Posts: 508
Hi

Artio Joomsef is currently at version 2.2.4. If you have a version 1.3.1, it must be very old ! and yes, anything below Joomsef version 2.2.2 must be upgraded. Please refer to official Joomla extensions security list available from Joomla FAQ

Regards

_________________
See all about sh404sef at http://dev.anything-digital.com/
I don't reply to PM anymore. Thanks for using sh404SEF


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 



Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group