The Joomla! Forum ™

There was a bug reported that looked like a security vulnerability in OpenSEF 2.0.0 RC5.  We later confirmed that it was indeed a security vulnerability and notified the developers who responded immediately and released a patch to fix the problem.  Please download it from the link below and follow the simple instructions to update your OpenSEF installation. 

Please see: http://www.open-sef.org/news/security_patch_for_opensef.html

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

Note: It is not clear in the OpenSEF documentation what to do with the patch.

In case you don't know, you will upload the patched file to:
components/com_sef

and overwrite the old file of the same name.

_________________
If you're new to Joomla, Please read Anna's Joomla! Tips: viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick

What version number will display once the patch has been installed?

_________________
- Bible Yellow Pages: http://www.bibleyp.com

The link for the security patch isn't working.

OpenSEF have moved to a new site -  try and search from:

http://forum.j-prosolution.com/news-discussion/

Btw, patch is only required if you downloaded RC5 before the patch was released. The current release contains the patch already. Instructions on how to apply the patch available on the forum.

Here is a link to download:
http://projects.j-prosolution.com/proje ... ensef.html

OpenSEF 2.0.0-RC5_SP2 is the newest version (as of 25-Sep-2006)

_________________
If you're new to Joomla, Please read Anna's Joomla! Tips: viewtopic.php?t=5503

http://nathandiehl.com | Find out what makes me tick

Thanks, Nate. I thought that was the case, but since this is a security issue I really wanted to get that extra confirmation.

_________________
- Bible Yellow Pages: http://www.bibleyp.com

Version on the forge has this included, also have fixed the link , so the old link with open-sef.org in it works now again.

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team

Hi,

for those who are still using OpenSEF 2.0.0 RC5 < SP2:
here is the latest link where you can find the patch and information about how to install it:

http://projects.j-prosolution.com/en/project-news/opensef-news/security-patch-for-opensef.html



open-sef.org seems no longer to exist!?

Christian

When I uploading the patched file I got:
Fatal error: Cannot instantiate non-existent class: josopensefconfig in /usr/www/users/empangzf/dev/components/com_sef/sef.php on line 26

So I just put the old one back until I can get some help on the above error message.

I also see that open-sef.org doesn't load. Any idea why?

_________________
Web Energy - Website Designs and Joomla Development in Empangeni, South Africa - http://www.webenergy.co.za

Yes, read the 6th post in this thread.

_________________
http://www.gadsolutions.biz Electrical services
http://www.electrical-testing-safety.co.uk Testing services

It does not work again... anybody help...

Try http://projects.j-prosolution.com/proje ... ensef.html

_________________
http://www.gadsolutions.biz Electrical services
http://www.electrical-testing-safety.co.uk Testing services

this link is not still working ....robs...dear...
I could not find the security patch anywhere...
anybody help

Patch available here:

http://www.j-prosolution.com/dmdocument ... 072006.zip

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team

thank you predator, ı have already found it.
ıt was just careless question.

Hi,

Does this patch fix the reported issue with $mosConfig_absolute_path? Sorry if this is a dumb question but I'm a little confused. A friend of mines site has just been hacked by those muppets from Turkey (Bella and Bodyguard). She built it using Joomla and we think it might have been hacked through OpenSEF. I'm also using this module. We're both on RC5 SP2.

Can anyone help to clarify?

Yes this fixed it but if you have RC5 SP2 the fix is allready in that version. Patch is only for RC5 and RC5 SP1 Version

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team

Predator, thanks for responding to this.

The site was already running RC5 SP2. As a result of the hacking, they changed the configuration.php file and chown'd all the files and directories used by OpenSEF (in both the components dirs) to a system user rather than the ftp user. This has stopped us repairing the damage until the hosting company resolves this.

I'm writing all of this because I am a little concerned that there is still a security hole with this component. As of yet, I have no conclusive proof that OpenSEF provided the route in (I'm awaiting more detailed logs from the hosting company), but the fact that other than configuration.php, the only files affected were those related to OpenSEF seems more than just a coincidence. I'm happy to try and provide you with any log data etc if you would like to look into this yourself.

I have read around on the internet and have come across one user who said that the security risk was only exposed if the component was installed but not in use? Is this true? At the time of the attack, my friend had it installed but not switched on.

I am soon to go live with a new site using OpenSEF (it is a great component btw) but would feel happier knowing I was safe to do so.

Sorry for the long post.

Regards,
Steve

If OpenSEF is not actived the request will be forwarded to the buildin includes/sef.php so very strange, so more infos via PM if you got the results of the logfiles would be good, also this hacking sounds like RFI (remote file injections) which only is possible if you have Register Globals = On and allow_furl_open = On, maybe you can check this also.

_________________
The "Humor, Fun and Games" forum has  more than 2500 Posts, so why not build a "Humor, Fun and Games Working" Group?
.....
Malicious tongues say we have this WG right from the start, they call it core team

No logs back form the hosting company yet, but thanks for your advice. I'll look at those two settings you've mentioned and report back.

Steve

Still no logs, but a phpinfo() has showed that allow_url_fopen is set to on (is this what you meant in your post when you typed allow_furl_open ?). Incidentally, register globals was off and RG set to 0 in the configuration.php

I can't overwrite the setting using .htaccess as the php version is 4.4.4 and according to the php site it can only be changed in the main php.ini.

We're emailing the hosts to ask them to change this.

Hi all...

just need a bit of clarification on this patch.

I have just installed OpenSEF 2.0.0-RC5_SP2

Does this (the latest version require the patch?

I am thinking that _SP2 is ok, but unsure.

Thanks in advance

_________________
http://www.lumieres.com.au/

"Don't look at what is and ask 'Why?'; look at what isn't and ask 'Why Not!'.."

I have found the answer.

SP2 (Service Pack 2) includes the security patch.

_________________
http://www.lumieres.com.au/

"Don't look at what is and ask 'Why?'; look at what isn't and ask 'Why Not!'.."

hey there....i just looked and the joomla i am working on is running
OpenSEF
Version 2.0.0-RC2

where do i get the patch? anybody know?

SEF patch extended version 1.0a
is also installed

Use Google!
http://www.google.com/search?q=opensef

Number 4 in Google listing:
http://sourceforge.net/project/showfile ... _id=171110

_________________
Home: http://www.ronliskey.com
Business http://www.communitygrove.com

sorry for the delay....found the mod thanks

trying to find the patch, but its a) not on the site or b) site suggested is down

_________________
Some Cool Sites
http://www.starfleets.st
http://www.plymouthcathsoc.org.uk

thanks for the valuable information.

_________________
smile

what is the safest way to update from a Version 2.0.0-RC2 to a Version 2.0.0-RC5 _SP2

just overwrite files or uninstall and reinstall? it is imperative that i dont lose the existing urls, i will be shot on the spot if hat happens

thanks muchly in advance