The Joomla! Forum ™





Post new topic Reply to topic  [ 42 posts ]  Go to page 1, 2  Next
Author Message
PostPosted: Sat Jul 15, 2006 9:59 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
There was a bug reported that looked like a security vulnerability in OpenSEF 2.0.0 RC5.  We later confirmed that it was indeed a security vulnerability and notified the developers who responded immediately and released a patch to fix the problem.  Please download it from the link below and follow the simple instructions to update your OpenSEF installation. 

Please see: http://www.open-sef.org/news/security_patch_for_opensef.html

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Last edited by RobS on Wed Jul 19, 2006 5:08 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Jul 17, 2006 7:30 pm 
User avatar
Joomla! Champion
Joomla! Champion

Joined: Fri Aug 19, 2005 3:03 pm
Posts: 6046
Location: Indiana, USA
Note: It is not clear in the OpenSEF documentation what to do with the patch.

In case you don't know, you will upload the patched file to:
components/com_sef

and overwrite the old file of the same name.

_________________
If you're new to Joomla, Please read Anna's Joomla! Tips: viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick


Top
 Profile  
 
PostPosted: Tue Sep 19, 2006 11:12 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Tue Dec 13, 2005 9:56 pm
Posts: 74
Location: Oregon
What version number will display once the patch has been installed?

_________________
- Bible Yellow Pages: http://www.bibleyp.com


Top
 Profile  
 
PostPosted: Fri Sep 22, 2006 4:17 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Fri Aug 04, 2006 12:38 pm
Posts: 171
The link for the security patch isn't working.


Top
 Profile  
 
PostPosted: Sat Sep 23, 2006 9:03 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Wed Dec 21, 2005 2:06 pm
Posts: 4
OpenSEF have moved to a new site -  try and search from:

http://forum.j-prosolution.com/news-discussion/

Btw, patch is only required if you downloaded RC5 before the patch was released. The current release contains the patch already. Instructions on how to apply the patch available on the forum.


Top
 Profile  
 
PostPosted: Mon Sep 25, 2006 8:07 pm 
User avatar
Joomla! Champion
Joomla! Champion

Joined: Fri Aug 19, 2005 3:03 pm
Posts: 6046
Location: Indiana, USA
Here is a link to download:
http://projects.j-prosolution.com/proje ... ensef.html

OpenSEF 2.0.0-RC5_SP2 is the newest version (as of 25-Sep-2006)

_________________
If you're new to Joomla, Please read Anna's Joomla! Tips: viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick


Top
 Profile  
 
PostPosted: Mon Sep 25, 2006 9:06 pm 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Tue Dec 13, 2005 9:56 pm
Posts: 74
Location: Oregon
Thanks, Nate. I thought that was the case, but since this is a security issue I really wanted to get that extra confirmation.

_________________
- Bible Yellow Pages: http://www.bibleyp.com


Top
 Profile  
 
PostPosted: Sun Oct 01, 2006 8:50 pm 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Wed Aug 17, 2005 10:12 pm
Posts: 1827
Location: Germany-Bad Abbach
aaanativearts wrote:
The link for the security patch isn't working.


Version on the forge has this included, also have fixed the link , so the old link with open-sef.org in it works now again.

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D


Top
 Profile  
 
PostPosted: Fri Jan 05, 2007 10:46 am 
User avatar
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Sep 20, 2006 10:38 am
Posts: 26
Location: München
Hi,

for those who are still using OpenSEF 2.0.0 RC5 < SP2:
here is the latest link where you can find the patch and information about how to install it:

http://projects.j-prosolution.com/en/project-news/opensef-news/security-patch-for-opensef.html

Predator wrote:
... so the old link with open-sef.org in it works now again.


open-sef.org seems no longer to exist!?

Christian


Top
 Profile  
 
PostPosted: Mon Jan 08, 2007 5:50 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Mon Sep 19, 2005 8:49 pm
Posts: 268
Location: Empangeni, South Africa
When I uploading the patched file I got:
Fatal error: Cannot instantiate non-existent class: josopensefconfig in /usr/www/users/empangzf/dev/components/com_sef/sef.php on line 26

So I just put the old one back until I can get some help on the above error message.

I also see that open-sef.org doesn't load. Any idea why?

_________________
Web Energy - Website Designs and Joomla Development in Empangeni, South Africa - http://www.webenergy.co.za


Top
 Profile  
 
PostPosted: Tue Jan 09, 2007 8:18 pm 
Joomla! Hero
Joomla! Hero

Joined: Tue Aug 23, 2005 1:56 pm
Posts: 2391
Location: Kent / Sussex / Surrey border UK
justinw wrote:

I also see that open-sef.org doesn't load. Any idea why?


Yes, read the 6th post in this thread.

_________________
http://www.gadsolutions.biz Electrical services
http://www.electrical-testing-safety.co.uk Testing services


Last edited by gws on Tue Jan 09, 2007 8:21 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Sun Feb 04, 2007 11:54 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Feb 04, 2007 11:35 am
Posts: 3
C.Ludwig wrote:
Hi,

for those who are still using OpenSEF 2.0.0 RC5 < SP2:
here is the latest link where you can find the patch and information about how to install it:

http://projects.j-prosolution.com/en/project-news/opensef-news/security-patch-for-opensef.html

Predator wrote:
... so the old link with open-sef.org in it works now again.


open-sef.org seems no longer to exist!?

Christian



It does not work again... anybody help...


Top
 Profile  
 
PostPosted: Sun Feb 04, 2007 2:37 pm 
Joomla! Hero
Joomla! Hero

Joined: Tue Aug 23, 2005 1:56 pm
Posts: 2391
Location: Kent / Sussex / Surrey border UK
Try http://projects.j-prosolution.com/proje ... ensef.html

_________________
http://www.gadsolutions.biz Electrical services
http://www.electrical-testing-safety.co.uk Testing services


Top
 Profile  
 
PostPosted: Sun Feb 04, 2007 2:56 pm 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Feb 04, 2007 11:35 am
Posts: 3
RobS wrote:
There was a bug reported that looked like a security vulnerability in OpenSEF 2.0.0 RC5.  We later confirmed that it was indeed a security vulnerability and notified the developers who responded immediately and released a patch to fix the problem.  Please download it from the link below and follow the simple instructions to update your OpenSEF installation. 

Please see: http://www.open-sef.org/news/security_patch_for_opensef.html


this link is not still working ....robs...dear...
I could not find the security patch anywhere...
anybody help


Last edited by mexmet on Mon Feb 05, 2007 9:13 am, edited 1 time in total.

Top
 Profile  
 
PostPosted: Mon Feb 05, 2007 10:24 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Wed Aug 17, 2005 10:12 pm
Posts: 1827
Location: Germany-Bad Abbach
Patch available here:

http://www.j-prosolution.com/dmdocument ... 072006.zip

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D


Top
 Profile  
 
PostPosted: Wed Feb 07, 2007 11:39 am 
Joomla! Fledgling
Joomla! Fledgling

Joined: Sun Feb 04, 2007 11:35 am
Posts: 3
thank you predator, ı have already found it.
ıt was just careless question.


Top
 Profile  
 
PostPosted: Wed May 09, 2007 7:44 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue May 08, 2007 2:26 pm
Posts: 5
Hi,

Does this patch fix the reported issue with $mosConfig_absolute_path? Sorry if this is a dumb question but I'm a little confused. A friend of mines site has just been hacked by those muppets from Turkey (Bella and Bodyguard). She built it using Joomla and we think it might have been hacked through OpenSEF. I'm also using this module. We're both on RC5 SP2.

Can anyone help to clarify?


Top
 Profile  
 
PostPosted: Wed May 09, 2007 8:02 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Wed Aug 17, 2005 10:12 pm
Posts: 1827
Location: Germany-Bad Abbach
maggiespaws wrote:
Hi,

Does this patch fix the reported issue with $mosConfig_absolute_path? Sorry if this is a dumb question but I'm a little confused. A friend of mines site has just been hacked by those muppets from Turkey (Bella and Bodyguard). She built it using Joomla and we think it might have been hacked through OpenSEF. I'm also using this module. We're both on RC5 SP2.

Can anyone help to clarify?


Yes this fixed it but if you have RC5 SP2 the fix is allready in that version. Patch is only for RC5 and RC5 SP1 Version

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D


Top
 Profile  
 
PostPosted: Wed May 09, 2007 11:04 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue May 08, 2007 2:26 pm
Posts: 5
Predator wrote:
maggiespaws wrote:
Hi,

Does this patch fix the reported issue with $mosConfig_absolute_path? Sorry if this is a dumb question but I'm a little confused. A friend of mines site has just been hacked by those muppets from Turkey (Bella and Bodyguard). She built it using Joomla and we think it might have been hacked through OpenSEF. I'm also using this module. We're both on RC5 SP2.

Can anyone help to clarify?


Yes this fixed it but if you have RC5 SP2 the fix is allready in that version. Patch is only for RC5 and RC5 SP1 Version


Predator, thanks for responding to this.

The site was already running RC5 SP2. As a result of the hacking, they changed the configuration.php file and chown'd all the files and directories used by OpenSEF (in both the components dirs) to a system user rather than the ftp user. This has stopped us repairing the damage until the hosting company resolves this.

I'm writing all of this because I am a little concerned that there is still a security hole with this component. As of yet, I have no conclusive proof that OpenSEF provided the route in (I'm awaiting more detailed logs from the hosting company), but the fact that other than configuration.php, the only files affected were those related to OpenSEF seems more than just a coincidence. I'm happy to try and provide you with any log data etc if you would like to look into this yourself.

I have read around on the internet and have come across one user who said that the security risk was only exposed if the component was installed but not in use? Is this true? At the time of the attack, my friend had it installed but not switched on.

I am soon to go live with a new site using OpenSEF (it is a great component btw) but would feel happier knowing I was safe to do so.

Sorry for the long post.

Regards,
Steve


Top
 Profile  
 
PostPosted: Thu May 10, 2007 11:07 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Wed Aug 17, 2005 10:12 pm
Posts: 1827
Location: Germany-Bad Abbach
If OpenSEF is not actived the request will be forwarded to the buildin includes/sef.php so very strange, so more infos via PM if you got the results of the logfiles would be good, also this hacking sounds like RFI (remote file injections) which only is possible if you have Register Globals = On and allow_furl_open = On, maybe you can check this also.

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team :D


Top
 Profile  
 
PostPosted: Thu May 10, 2007 12:04 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue May 08, 2007 2:26 pm
Posts: 5
No logs back form the hosting company yet, but thanks for your advice. I'll look at those two settings you've mentioned and report back.

Steve


Top
 Profile  
 
PostPosted: Fri May 11, 2007 2:47 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Tue May 08, 2007 2:26 pm
Posts: 5
Predator wrote:
If OpenSEF is not actived the request will be forwarded to the buildin includes/sef.php so very strange, so more infos via PM if you got the results of the logfiles would be good, also this hacking sounds like RFI (remote file injections) which only is possible if you have Register Globals = On and allow_furl_open = On, maybe you can check this also.


Still no logs, but a phpinfo() has showed that allow_url_fopen is set to on (is this what you meant in your post when you typed allow_furl_open ?). Incidentally, register globals was off and RG set to 0 in the configuration.php

I can't overwrite the setting using .htaccess as the php version is 4.4.4 and according to the php site it can only be changed in the main php.ini.

We're emailing the hosts to ask them to change this.


Top
 Profile  
 
PostPosted: Mon May 14, 2007 2:57 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sat Jul 22, 2006 2:19 am
Posts: 86
Location: Australia
Hi all...

just need a bit of clarification on this patch.

I have just installed OpenSEF 2.0.0-RC5_SP2

Does this (the latest version require the patch?

I am thinking that _SP2 is ok, but unsure.

Thanks in advance

_________________
http://www.lumieres.com.au/

"Don't look at what is and ask 'Why?'; look at what isn't and ask 'Why Not!'.."


Top
 Profile  
 
PostPosted: Mon May 14, 2007 5:37 am 
User avatar
Joomla! Intern
Joomla! Intern

Joined: Sat Jul 22, 2006 2:19 am
Posts: 86
Location: Australia
I have found the answer.

SP2 (Service Pack 2) includes the security patch.

_________________
http://www.lumieres.com.au/

"Don't look at what is and ask 'Why?'; look at what isn't and ask 'Why Not!'.."


Top
 Profile  
 
PostPosted: Tue Jul 10, 2007 6:03 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Nov 24, 2005 7:44 pm
Posts: 158
hey there....i just looked and the joomla i am working on is running
OpenSEF
Version 2.0.0-RC2

where do i get the patch? anybody know? :-*

SEF patch extended version 1.0a
is also installed


Last edited by teclive on Tue Jul 10, 2007 6:12 pm, edited 1 time in total.

Top
 Profile  
 
PostPosted: Fri Jul 13, 2007 9:00 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Tue Jun 06, 2006 7:41 am
Posts: 828
Location: California, Germany, Norway
Quote:
where do i get the patch? anybody know?


Use Google!
http://www.google.com/search?q=opensef

Number 4 in Google listing:
http://sourceforge.net/project/showfile ... _id=171110

_________________
Home: http://www.ronliskey.com
Business http://www.communitygrove.com


Top
 Profile  
 
PostPosted: Fri Jul 13, 2007 11:57 pm 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Nov 24, 2005 7:44 pm
Posts: 158
sorry for the delay....found the mod :) thanks :)


Top
 Profile  
 
PostPosted: Thu Aug 02, 2007 8:55 am 
Joomla! Intern
Joomla! Intern

Joined: Mon Oct 31, 2005 2:50 pm
Posts: 71
trying to find the patch, but its a) not on the site or b) site suggested is down

_________________
Some Cool Sites
http://www.starfleets.st
http://www.plymouthcathsoc.org.uk


Top
 Profile  
 
PostPosted: Thu Dec 20, 2007 8:23 am 
I've been banned!

Joined: Wed Dec 19, 2007 10:36 pm
Posts: 21
thanks for the valuable information.

_________________
smile


Top
 Profile  
 
PostPosted: Tue Feb 19, 2008 4:18 am 
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Thu Nov 24, 2005 7:44 pm
Posts: 158
what is the safest way to update from a Version 2.0.0-RC2 to a Version 2.0.0-RC5 _SP2

just overwrite files or uninstall and reinstall? it is imperative that i dont lose the existing urls, i will be shot on the spot if hat happens ;)

thanks muchly in advance :D


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 42 posts ]  Go to page 1, 2  Next



Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group