Discuss Joomla! 3.4.5
- pe7er
- Joomla! Master
- Posts: 24985
- Joined: Thu Aug 18, 2005 8:55 pm
- Location: Nijmegen, Netherlands
- Contact:
Discuss Joomla! 3.4.5
Here you can discuss about the release of Joomla 3.4.5
See Announcement: http://forum.joomla.org/viewtopic.php?f=8&t=896677
See Announcement: http://forum.joomla.org/viewtopic.php?f=8&t=896677
Kind Regards,
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
Peter Martin, Global Moderator
Company website: https://db8.nl/en/ - Joomla specialist, Nijmegen, Netherlands
The best website: https://the-best-website.com
-
- Joomla! Virtuoso
- Posts: 4025
- Joined: Mon Nov 25, 2013 4:35 pm
- Location: Montreal, Canada
- Contact:
Re: Discuss Joomla! 3.4.5
Hi Peter,
I couldn't find details about the SQL injection issue reported in the release. Can any Joomla website be attacked? Can this issue be exploited? Or is it only an issue if someone uses some Joomla functions in an extension?
I know that it is best to keep this a secret to avoid a massive hack of Joomla websites, but it would be nice if those of us who work with Joomla all the time have an idea on what's going on.
Thanks for providing more context.
I couldn't find details about the SQL injection issue reported in the release. Can any Joomla website be attacked? Can this issue be exploited? Or is it only an issue if someone uses some Joomla functions in an extension?
I know that it is best to keep this a secret to avoid a massive hack of Joomla websites, but it would be nice if those of us who work with Joomla all the time have an idea on what's going on.
Thanks for providing more context.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter
https://twitter.com/itoctopus - Follow us on Twitter
Re: Discuss Joomla! 3.4.5
Additional context may be published by the researchers who reported the issue, however the Joomla project and the security team don't make it an active policy to publish exploit details. With that being said, now that the notice is public I can state that the issue has the potential to affect all Joomla components running on the versions specified in the notice if they are using the core MVC layer and have copied core conventions.
-
- Joomla! Virtuoso
- Posts: 4025
- Joined: Mon Nov 25, 2013 4:35 pm
- Location: Montreal, Canada
- Contact:
Re: Discuss Joomla! 3.4.5
Thanks Michael - I just checked the code difference between 3.4.4 and 3.4.5 and I see what you mean. I will proceed with updating all our clients asap.
http://www.itoctopus.com - Joomla consulting at its finest
https://twitter.com/itoctopus - Follow us on Twitter
https://twitter.com/itoctopus - Follow us on Twitter
- Gasoline
- Joomla! Explorer
- Posts: 468
- Joined: Tue Aug 23, 2005 10:33 am
- Location: NL
Re: Discuss Joomla! 3.4.5
Hi,
I'm no expert in php, not even remotly close.
But I checked the data that was updated bij todays update (after I updated all my clientsites) and f.e. I see in content.php some added lines compared to J3.4. But the original file seems simulair to that in J2.5.
Sadly I have some clients that still dont update yet to J3 so should I add those lines in content.php in J2.5 or will that break my site?
Maybe a little bit follish question. But I wonder how save my old sites are for the vulnerability.
I'm no expert in php, not even remotly close.
But I checked the data that was updated bij todays update (after I updated all my clientsites) and f.e. I see in content.php some added lines compared to J3.4. But the original file seems simulair to that in J2.5.
Sadly I have some clients that still dont update yet to J3 so should I add those lines in content.php in J2.5 or will that break my site?
Maybe a little bit follish question. But I wonder how save my old sites are for the vulnerability.
Using Joomla since 2005.
- AMurray
- Joomla! Exemplar
- Posts: 9739
- Joined: Sat Feb 13, 2010 7:35 am
- Location: Australia
Re: Discuss Joomla! 3.4.5
It would be better to just upgrade the 2.5.x sites to J3.x ASAP., The patch is for Joomla 3.4.x not 2.5.x.Gasoline wrote:Maybe a little bit follish question. But I wonder how save my old sites are for the vulnerability.
Is there any reason your clients are not ready to upgrade; advise them it's critical to do so otherwise they leave their sites vulnerable.
Regards - A Murray
General Support Moderator
General Support Moderator
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Discuss Joomla! 3.4.5
Hello,Gasoline wrote:Sadly I have some clients that still dont update yet to J3 so should I add those lines in content.php in J2.5 or will that break my site?
Maybe a little bit follish question. But I wonder how save my old sites are for the vulnerability.
Couple of things here and Andy is right. These sites need a mini-migration (it is not an upgrade!) to Joomla 3.4.5. The security issues are not discovered in J25 since the code is different which answers the other question: You are never allowed to mix code from any version since that will indefinite break a site!
Last but not least only one version of Joomla is safe guaranteed: Joomla 3.4.5! The rest is End-Of-Life or no longer supported-->make that clear to you clients?!
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- bienthuy
- Joomla! Apprentice
- Posts: 27
- Joined: Wed Oct 08, 2014 6:45 am
- Contact:
Re: Discuss Joomla! 3.4.5
I have just update 2 site to 3.4.5 without any error.
But in extensions / install/ install from web it show: Can't connect to the Joomla! server. Please try again later.
This is not the first time but it's hard to install from web. I always have to download it to my computer then upload.
But in extensions / install/ install from web it show: Can't connect to the Joomla! server. Please try again later.
This is not the first time but it's hard to install from web. I always have to download it to my computer then upload.
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Discuss Joomla! 3.4.5
are you using SSL? For us all works normal?
Leo
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- bienthuy
- Joomla! Apprentice
- Posts: 27
- Joined: Wed Oct 08, 2014 6:45 am
- Contact:
Re: Discuss Joomla! 3.4.5
Yes, my site running SSLleolam wrote:are you using SSL? For us all works normal?
Leo
Attach is what i'm seeing just now.
You do not have the required permissions to view the files attached to this post.
- Gasoline
- Joomla! Explorer
- Posts: 468
- Joined: Tue Aug 23, 2005 10:33 am
- Location: NL
Re: Discuss Joomla! 3.4.5
I know, but I have some clients that are 'cheap'. But today news I will use to streess them again they have to update.leolam wrote: Last but not least only one version of Joomla is safe guaranteed: Joomla 3.4.5! The rest is End-Of-Life or no longer supported-->make that clear to you clients?!
It's not a simple one click upgrade. I have my own template, some extensions I use, etc.
The upgrade is not the problem, but I need also some work in setting up the new environment, changing some things in template etc. So a couple of hours at least.
But anyway, I'll try again.
But still my question stands, is J2 vulnerabal for the content.php file.
Using Joomla since 2005.
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Discuss Joomla! 3.4.5
No
Leo
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Discuss Joomla! 3.4.5
Just a heads-up for the JSST (Joomla Security Strike Team) : We have upgraded over the past 24 hours since release yesterday at 2 pm UTC over 700 Joomla sites and ongoing.
We have no issues raised from any of our techs who are doing this nor form our clients so to the Security Team : WOW Job well done!!!!
Leo
We have no issues raised from any of our techs who are doing this nor form our clients so to the Security Team : WOW Job well done!!!!
Leo
Last edited by leolam on Fri Oct 23, 2015 3:20 pm, edited 1 time in total.
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
-
- Joomla! Ace
- Posts: 1097
- Joined: Thu Sep 24, 2009 5:40 pm
- Location: Austin, TX, USA
Re: Discuss Joomla! 3.4.5
I did a lot of them too and zero problems. Thank you JSST!
Co-author Using Joomla, Second Edition (migration/upgrade included) http://www.usingjoomlabook.com
Find a Joomla User Group (JUG) near you http://community.joomla.org/user-groups.html
Find a Joomla User Group (JUG) near you http://community.joomla.org/user-groups.html
Re: Discuss Joomla! 3.4.5
Since the question has been asked about a thousand times and since it seems that even specifying specific version strings in the notices doesn't answer it...
The security team does not actively test non-supported software platforms for security issues; just as stated in the title they are no longer supported. With that said though, and being very clear about the subject matter, the critical security vulnerability cannot and does not affect any version of Joomla earlier than 3.2.
Regarding the other two notices published, no, 2.5 is not affected. Given the scope of change between 1.5 and 2.5, without dedicated testing a guaranteed answer can't be given for that branch but if 2.5 is not affected it's safe to assume 1.5 is OK.
The security team does not actively test non-supported software platforms for security issues; just as stated in the title they are no longer supported. With that said though, and being very clear about the subject matter, the critical security vulnerability cannot and does not affect any version of Joomla earlier than 3.2.
Regarding the other two notices published, no, 2.5 is not affected. Given the scope of change between 1.5 and 2.5, without dedicated testing a guaranteed answer can't be given for that branch but if 2.5 is not affected it's safe to assume 1.5 is OK.
- Webdongle
- Joomla! Master
- Posts: 44092
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Discuss Joomla! 3.4.5
Two questionsmbabker wrote: the critical security vulnerability cannot and does not affect any version of Joomla earlier than 3.2.
1. Was the problem in the way the code was written originally or was it a result of a new hack being used ?
2. Does the update have any impact on Template overrides that were created prior to the 3.4.5 patch ? (I've looked at the files in the patch and can not see anything that might ... but would like it confirmed by a dev or member of the JSST ).
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
Re: Discuss Joomla! 3.4.5
1. Without going into detail it was an issue in our code base only.
2. Nothing regarding layout files was changed, just as you saw in the code diff.
2. Nothing regarding layout files was changed, just as you saw in the code diff.
- Webdongle
- Joomla! Master
- Posts: 44092
- Joined: Sat Apr 05, 2008 9:58 pm
Re: Discuss Joomla! 3.4.5
Found this (not sure of it's accuracy)itoctopus wrote:...
I couldn't find details about the SQL injection issue reported in the release. ....
https://www.trustwave.com/Resources/Spi ... =0&month=0Please note that this vulnerability is only exploitable while an administrator is logged into the site. If you must delay your upgrade, log out of any administrator accounts not in use. In addition, if you must log in as administrator, do so for only short periods of time.
CVE-2015-7857 enables an unauthorized remote user to gain administrator privileges by hijacking the administrator session. Following exploitation of the vulnerability, the attacker may gain full control of the web site and execute additional attacks.
The vulnerability can be exploited in Joomla versions 3.2 (released in November 2013) through version 3.4.4.
Because the vulnerability is found in a core module that doesn't require any extensions, all websites that use Joomla versions 3.2 and above are vulnerable.
http://www.weblinksonline.co.uk/
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
https://www.weblinksonline.co.uk/updating-joomla.html
"When I'm right no one remembers but when I'm wrong no one forgets".
-
- Joomla! Apprentice
- Posts: 5
- Joined: Wed Jul 27, 2011 4:45 am
Re: Discuss Joomla! 3.4.5
We're not quite ready to upgrade from 3.2.x yet and want to patch this SQL injection manually.
Having read through the post from Trustwave, for now, would protecting the "/administrator" directory and updating only the files in "/administrator/components/com_contenthistory" via Joomla_3.4.4_to_3.4.5-Stable-Patch_Package suffice?
Please advise.
Having read through the post from Trustwave, for now, would protecting the "/administrator" directory and updating only the files in "/administrator/components/com_contenthistory" via Joomla_3.4.4_to_3.4.5-Stable-Patch_Package suffice?
Please advise.
- alikon
- Joomla! Champion
- Posts: 5941
- Joined: Fri Aug 19, 2005 10:46 am
- Location: Roma
- Contact:
Re: Discuss Joomla! 3.4.5
@tigertiger333
i'm afraid don't work, you can mess your site this way,
if you can't upgrade wich is "the solution"
don't log as an administrator for long time, and purge your session after
you should lower the risk
i'm afraid don't work, you can mess your site this way,
if you can't upgrade wich is "the solution"
don't log as an administrator for long time, and purge your session after
you should lower the risk
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Discuss Joomla! 3.4.5
Your only alternative to have your site secure is to upgrade (preferred). Alternatively you could purchase Admin Tools Pro and enable and configure (automated function available to do that) the AT-Firewall. Admin Tools' Firewall blocks events forthcoming from the security issues but it is not the ultimate solution. You have basically no alternative as Alikon already mentionedtigertiger333 wrote:Please advise.
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
-
- Joomla! Apprentice
- Posts: 5
- Joined: Wed Jul 27, 2011 4:45 am
Re: Discuss Joomla! 3.4.5
Have patched the files in "/administrator/components/com_contenthistory" so all the new ACL/Access checks are in place. No issues so far.
If you look at how the SQL injection is done it looks like this only affects com_content users? If one has never used com_content before, then the "ucm_history" table should be empty and the query would not execute properly, no?
Also, would removing $this->error->getMessage() from Joomla error pages help too? As visitors/regular users do not need to know what file/component/page/query is missing or not working, especially on a production site.
Lastly, would adding the site to CloudFlare with Web Application Firewall turned on help as well?
If you look at how the SQL injection is done it looks like this only affects com_content users? If one has never used com_content before, then the "ucm_history" table should be empty and the query would not execute properly, no?
Also, would removing $this->error->getMessage() from Joomla error pages help too? As visitors/regular users do not need to know what file/component/page/query is missing or not working, especially on a production site.
Lastly, would adding the site to CloudFlare with Web Application Firewall turned on help as well?
Last edited by imanickam on Tue Oct 27, 2015 1:23 pm, edited 1 time in total.
Reason: Removed the URL to the site where the SQL Injection has been demonstrated.
Reason: Removed the URL to the site where the SQL Injection has been demonstrated.
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Discuss Joomla! 3.4.5
This is very bad practice since you mix versions and that is not done. Besides that why can't you upgrade? Have you hacked core code of Joomla? That is also not the way of doing things properly (see overrides in Joomla documentation). The only thing you are doing now is creating more and more issues with your site. Removing the code as mentioned renders your site useless. Sorry but this is pure incorrect management of your site
Leo
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
Re: Discuss Joomla! 3.4.5
The SQLi attack does not only affect com_content. The documented attack vector uses it, as it's probably one of the easiest ways to accomplish the task attackers are looking to perform, but the reality is the SQLi has the potential to affect EVERY component written using the core MVC layer and running on a Joomla 3.2.0 to 3.4.4 installation.
- leolam
- Joomla! Master
- Posts: 20652
- Joined: Mon Aug 29, 2005 10:17 am
- Location: Netherlands/ Germany/ S'pore/Bogor/ North America
- Contact:
Re: Discuss Joomla! 3.4.5
Thanks Michael for clarifying further
Leo
Leo
Joomla's #1 Professional Services Provider:
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
#Joomla Professional Support: https://gws-desk.com -
#Joomla Specialized Hosting Solutions: https://gws-host.com -
-
- Joomla! Fledgling
- Posts: 3
- Joined: Thu Oct 29, 2015 7:26 am
Re: Discuss Joomla! 3.4.5
After updating to 3.4.5 on 4 websites on the same vps, in one of them iiwm getting global configuration page missing css and not functioning.
I saw on form that it was an [issuu] on version 3.4.0.
Tried to use solutions like replacing line in PDO file, but it was already there.
can't find any solution to the problem, including repeating update installation, clearing site, administrator and browser cache.
Checked with server manager, everything is fine there.
Only error i got in console was '500 internal server error', but only once.
I saw on form that it was an [issuu] on version 3.4.0.
Tried to use solutions like replacing line in PDO file, but it was already there.
can't find any solution to the problem, including repeating update installation, clearing site, administrator and browser cache.
Checked with server manager, everything is fine there.
Only error i got in console was '500 internal server error', but only once.
- darb
- Joomla! Hero
- Posts: 2042
- Joined: Thu Jul 06, 2006 12:57 pm
- Location: Stockholm Sweden
Re: Discuss Joomla! 3.4.5
Thanks guys for taking this action for this security update..