Discuss Joomla! 3.4.5

[pe7er]

Here you can discuss about the release of Joomla 3.4.5

See Announcement: http://forum.joomla.org/viewtopic.php?f=8&t=896677

[itoctopus]

Hi Peter,

I couldn't find details about the SQL injection issue reported in the release. Can any Joomla website be attacked? Can this issue be exploited? Or is it only an issue if someone uses some Joomla functions in an extension?

I know that it is best to keep this a secret to avoid a massive hack of Joomla websites, but it would be nice if those of us who work with Joomla all the time have an idea on what's going on.

Thanks for providing more context.

[deleted user]

Additional context may be published by the researchers who reported the issue, however the Joomla project and the security team don't make it an active policy to publish exploit details. With that being said, now that the notice is public I can state that the issue has the potential to affect all Joomla components running on the versions specified in the notice if they are using the core MVC layer and have copied core conventions.

[itoctopus]

Thanks Michael - I just checked the code difference between 3.4.4 and 3.4.5 and I see what you mean. I will proceed with updating all our clients asap.

[Gasoline]

Hi,

I'm no expert in php, not even remotly close.

But I checked the data that was updated bij todays update (after I updated all my clientsites) and f.e. I see in content.php some added lines compared to J3.4. But the original file seems simulair to that in J2.5.

Sadly I have some clients that still dont update yet to J3 so should I add those lines in content.php in J2.5 or will that break my site?

Maybe a little bit follish question. But I wonder how save my old sites are for the vulnerability.

[AMurray]

Maybe a little bit follish question. But I wonder how save my old sites are for the vulnerability.

It would be better to just upgrade the 2.5.x sites to J3.x ASAP., The patch is for Joomla 3.4.x not 2.5.x.

Is there any reason your clients are not ready to upgrade; advise them it's critical to do so otherwise they leave their sites vulnerable.

[leolam]

Sadly I have some clients that still dont update yet to J3 so should I add those lines in content.php in J2.5 or will that break my site?

Maybe a little bit follish question. But I wonder how save my old sites are for the vulnerability.

Hello,
Couple of things here and Andy is right. These sites need a mini-migration (it is not an upgrade!) to Joomla 3.4.5. The security issues are not discovered in J25 since the code is different which answers the other question: You are never allowed to mix code from any version since that will indefinite break a site!

Last but not least only one version of Joomla is safe guaranteed: Joomla 3.4.5! The rest is End-Of-Life or no longer supported-->make that clear to you clients?!

Leo

[bienthuy]

I have just update 2 site to 3.4.5 without any error.
But in extensions / install/ install from web it show: Can't connect to the Joomla! server. Please try again later.
This is not the first time but it's hard to install from web. I always have to download it to my computer then upload.

[leolam]

are you using SSL? For us all works normal?

Leo

[bienthuy]

are you using SSL? For us all works normal?

Leo

Yes, my site running SSL

Attach is what i'm seeing just now.

[Gasoline]

Last but not least only one version of Joomla is safe guaranteed: Joomla 3.4.5! The rest is End-Of-Life or no longer supported-->make that clear to you clients?!

I know, but I have some clients that are 'cheap'. But today news I will use to streess them again they have to update.

It's not a simple one click upgrade. I have my own template, some extensions I use, etc.
The upgrade is not the problem, but I need also some work in setting up the new environment, changing some things in template etc. So a couple of hours at least.

But anyway, I'll try again.

But still my question stands, is J2 vulnerabal for the content.php file.

[leolam]

No

Leo

[leolam]

Just a heads-up for the JSST (Joomla Security Strike Team) : We have upgraded over the past 24 hours since release yesterday at 2 pm UTC over 700 Joomla sites and ongoing.

We have no issues raised from any of our techs who are doing this nor form our clients so to the Security Team : WOW Job well done!!!!

Leo

[jgress-]

I did a lot of them too and zero problems. Thank you JSST!

[deleted user]

Since the question has been asked about a thousand times and since it seems that even specifying specific version strings in the notices doesn't answer it...

The security team does not actively test non-supported software platforms for security issues; just as stated in the title they are no longer supported. With that said though, and being very clear about the subject matter, the critical security vulnerability cannot and does not affect any version of Joomla earlier than 3.2.

Regarding the other two notices published, no, 2.5 is not affected. Given the scope of change between 1.5 and 2.5, without dedicated testing a guaranteed answer can't be given for that branch but if 2.5 is not affected it's safe to assume 1.5 is OK.

[Webdongle]

the critical security vulnerability cannot and does not affect any version of Joomla earlier than 3.2.

Two questions

1. Was the problem in the way the code was written originally or was it a result of a new hack being used ?

2. Does the update have any impact on Template overrides that were created prior to the 3.4.5 patch ? (I've looked at the files in the patch and can not see anything that might ... but would like it confirmed by a dev or member of the JSST ).

[deleted user]

1. Without going into detail it was an issue in our code base only.

2. Nothing regarding layout files was changed, just as you saw in the code diff.

[Webdongle]

...
I couldn't find details about the SQL injection issue reported in the release. ....

Found this (not sure of it's accuracy)

Please note that this vulnerability is only exploitable while an administrator is logged into the site. If you must delay your upgrade, log out of any administrator accounts not in use. In addition, if you must log in as administrator, do so for only short periods of time.

CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.

The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4.
Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.

https://www.trustwave.com/Resources/Spi ... =0&month=0

[tigertiger333]

We're not quite ready to upgrade from 3.2.x yet and want to patch this SQL injection manually.

Having read through the post from Trustwave, for now, would protecting the "/administrator" directory and updating only the files in "/administrator/components/com_contenthistory" via Joomla_3.4.4_to_3.4.5-Stable-Patch_Package suffice?

Please advise.

[alikon]

@tigertiger333
i'm afraid don't work, you can mess your site this way,

if you can't upgrade wich is "the solution"

don't log as an administrator for long time, and purge your session after

you should lower the risk

[leolam]

Please advise.

Your only alternative to have your site secure is to upgrade (preferred). Alternatively you could purchase Admin Tools Pro and enable and configure (automated function available to do that) the AT-Firewall. Admin Tools' Firewall blocks events forthcoming from the security issues but it is not the ultimate solution. You have basically no alternative as Alikon already mentioned

Leo

[tigertiger333]

Have patched the files in "/administrator/components/com_contenthistory" so all the new ACL/Access checks are in place. No issues so far.

If you look at how the SQL injection is done it looks like this only affects com_content users? If one has never used com_content before, then the "ucm_history" table should be empty and the query would not execute properly, no?

Also, would removing $this->error->getMessage() from Joomla error pages help too? As visitors/regular users do not need to know what file/component/page/query is missing or not working, especially on a production site.

Lastly, would adding the site to CloudFlare with Web Application Firewall turned on help as well?

[leolam]

This is very bad practice since you mix versions and that is not done. Besides that why can't you upgrade? Have you hacked core code of Joomla? That is also not the way of doing things properly (see overrides in Joomla documentation). The only thing you are doing now is creating more and more issues with your site. Removing the code as mentioned renders your site useless. Sorry but this is pure incorrect management of your site

Leo

[deleted user]

The SQLi attack does not only affect com_content. The documented attack vector uses it, as it's probably one of the easiest ways to accomplish the task attackers are looking to perform, but the reality is the SQLi has the potential to affect EVERY component written using the core MVC layer and running on a Joomla 3.2.0 to 3.4.4 installation.

[leolam]

Thanks Michael for clarifying further

Leo

[eladmarmor]

After updating to 3.4.5 on 4 websites on the same vps, in one of them iiwm getting global configuration page missing css and not functioning.
I saw on form that it was an [issuu] on version 3.4.0.
Tried to use solutions like replacing line in PDO file, but it was already there.
can't find any solution to the problem, including repeating update installation, clearing site, administrator and browser cache.
Checked with server manager, everything is fine there.
Only error i got in console was '500 internal server error', but only once.

[darb]

Thanks guys for taking this action for this security update..