Discuss Joomla! 3.9.3

[pe7er]

Here you can discuss about the release of Joomla 3.9.3

See Announcement: viewtopic.php?f=8&t=969693

[timcsalmon]

My site in 3.9.2 was working fine using php 7.2, after the update to 3.9.3 it did not work, but it does by switching php version back to 7.1. Is this a known issue?

[toivo]

Create a separate topic in the forum 'Migrating and Upgrading to Joomla! 3.x' at viewforum.php?f=710 and include the results from the Forum Post Assistant (FPA) by following the instructions from viewtopic.php?f=806&t=969442.

If the back end works, change also the error reporting in Global Configuration to 'Maximum' and post the PHP error messages, warnings and notices.

[pmleconte]

My site in 3.9.2 was working fine using php 7.2, after the update to 3.9.3 it did not work, but it does by switching php version back to 7.1. Is this a known issue?

I did update from 3.9.2 to 3.9.3 on a dozen websites running php 7.2 without any noticeable problem.

Enable debugging to give us more information about your problem : go to System/Global Config, System tab, set Debug System, then go to Server Tab and set Error Reporting to Maximum. This should tell you which extension/module/plugin did not like Joomla! 3.9.3.

Pascal

[toivo]

Updated several sites, including launch.joomla.org/joomla.com sites to 3.9.3 and the updates worked perfectly. Thanks to all the teams involved!

[nailson_imgn]

I'm using PHP 7.2.12. The update went through without any noticeable impact.

Thank you and keep up the good work!

[Per Yngve Berg]

.htaccess & web.config security Update
Siden versjon 3.9.3

Since Joomla 3.9.3, Joomla is shipped with additional security hardenings in the default htaccess.txt and web.config.txt files. These hardenings disable the so called MIME-type sniffing feature in webbrowsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (i.e. images) will be executed, leading to Cross-Site-Scripting vulnerabilities.

The security teams recommends to manually apply the necessary changes to existing .htaccess or web.config files, as those files can not be updated automatically.

Changes for .htaccess
Add the following lines before "## Mod_rewrite in use.":

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>
Changes for web.config
Add the following lines right after "</rewrite>":

<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>

How is this done on Nginx?

[pmleconte]

How is this done on Nginx?

if you check https://content-security-policy.com/, server config is described at the bottom of the page (Apache, NGinx, IIS).

To handle this, I prefer zero-24's plugin : httpheader (included in Joomla 4.0) :
https://github.com/zero-24/plg_system_h ... r/releases

Pascal

[sozzled]

Thanks, @Per, for highlighting the recommendations of the JSST concerning MIME type sniffing. I'm not sure if I have the answer to his question [as far as NGINX is concerned) but it prompted me to do some research: https://www.keycdn.com/support/x-content-type-options

** Disclaimer **
I haven't yet installed J! 3.9.3 on any of my websites and I haven't yet modified my .htaccess files in accordance with the latest security recommendations.
** End Disclaimer **

Let's also not forget that these changes to htaccess.txt will probably attract more attention for J! users constructing new websites starting with J! 3.9.3. While all members of the community should take note of the recommendation—to review all of their websites and, where they have .htaccess (or similar) webserver mechanisms in place—they should edit these files. These matters are particularly important for the huge section of the community who mistakenly believe that

a) J! 1.x is safe and never requires updating;
b) J! 2.5 is safe, never requires maintenance, and will go on to live forever;
c) any website that was built with J! 3.x before J! 3.9.3 is safe, nothing to worry about, will never be hacked, and doesn't need to be updated to J! 3.9.3;
d) any website, once built, will outlast the pyramids of Egypt, the European Union, the iPhone or climate change; or
e) updating to J! 3.9.3 will not require "post-upgrade" [manual] attention to apply the recommendations contained in the latest release.

The security teams recommends to manually apply the necessary changes to existing .htaccess or web.config files, as those files can not be updated automatically.

My websites usually attract about 30-50 content-sniffing "experiments" every day. Makes one wonder why there are "businesses" or individuals who spend their resources looking to see how my websites were built, what technology/techniques I've employed, and whether they can hack their way into 'em, doesn't it? Oh well, it's there time and money, I guess.

So, again thank you, @Per, for highlighting this important matter (albeit "relatively" low risk for most people) and I will be taking these recommendations on board and changing the .htaccess files for all of my web sites. Cheers.

[ribo]

Updated many joomla websites. No problem with update progress. Thank you joomla team

[sozzled]

Further observations w.r.t. @Per's earlier post

Changes for .htaccess
Add the following lines before "## Mod_rewrite in use.":

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

Changes for web.config
Add the following lines right after "</rewrite>":

<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>

Make sure you use the right method depending on whether you're modifying .htaccess or web.config—you should modify one or the other—and don't just "copy and paste" everything from @Per's post.

I've updated one test website to J! 3.9.3 and, so far, I haven't seen any issues resulting from updating. Will continue to test.

[spjones1]

upgrade to Joomla 3.9.3 and now when I force a user to change their password the page goes blank. I have another site this on 3.9.2 and their is no issue, anyone else have the same problem.

Thanks

[tezzerp]

Just updated and got this message
.htaccess & web.config security Update

Since version 3.9.3

Since Joomla 3.9.3, Joomla is shipped with additional security hardenings in the default htaccess.txt and web.config.txt files. These hardenings disable the so called MIME-type sniffing feature in webbrowsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (i.e. images) will be executed, leading to Cross-Site-Scripting vulnerabilities.

The security teams recommends to manually apply the necessary changes to existing .htaccess or web.config files, as those files can not be updated automatically.

Changes for .htaccess
Add the following lines before "## Mod_rewrite in use.":

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

Changes for web.config
Add the following lines right after "</rewrite>":

<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>


Presumably this could be quite a number of files, is there an easy way?
Thanks
Terry

[pmleconte]

Hi,

I don't understand why development team is pointing out "nosniff" as very important stuff, when all headers security is.

Last month, a french forumer had his whole website in a frame of another website (https://forum.joomla.fr/forum/joomla-3- ... onnais-pas) That's in french but we had to explain how headers are working. It was not a "sniffing" problem but a X-frame-Options header to set up.

As I said earlier, you may use a plugin (httpheaders that will be included in Joomla 4) to implement this and won't have to worry about htaccess, apach, nginx, iis.

Pascal

[sozzled]

I've updated all my J! 3.x websites—the ones that I intend to update, anyway—to J! 3.9.3 without any probems. Thanks to everyone involved for making and testing the changes.

Unless people want to go on living in some backwater of the internet, there's no justification for not updating to J! 3.9.3. I would even go further to say that anyone who has not updated, or does not plan to update, to J! 3.9.3 by now (or within the next few days) only has the excuse that they're too lazy to do any work or that they have some "academic interest" in outdated versions of J!.

I have not updated a couple of my old J! 3.x websites for "academic interest" reasons; not because I don't have the time to update them.

I agree with Pascal that it probably would be better for these security headers to be managed within the CMS, perhaps by way of a plugin for that purpose, rather than having to edit the .htaccess file (or tailoring the .htaccess/web.config accordingly depending on whether the server is Apache, Nginx, IIS, etc.). The solution largely depends on how many websites someone may be managing and how much time one is prepared to invest in these activities. There's a finite limit on how many websites someone can manage by themselves (even excluding the use of services like myJoomla.com, for example).

For those people who may argue that there's an excessive burden in maintaining 50 or more websites, they should probably ask themselves the question "why?". And, more to the point, the number of people who have 50 or more websites that they're maintaining is probably less than 0.01% of the entire community. In fact, the bulk of people who use this forum (excluding "forum junkies" like me) would probably only have one website. So it's not really a big deal, is it?

Cheers.

[Per Yngve Berg]

I found this article about security in niginx.

https://gist.github.com/plentz/6737338

Code: Select all

add_header X-Content-Type-Options nosniff;

It's put in nginx.conf

[sozzled]

(Not that I know anything about Nginx ... but ...) thanks, @Per.

[hehemrin]

More regarding the After-installation messages in control panel:
It is recommended to update the "web.config" file. I do not have that one. But I have web.config.txt, which was updated automatically. Should I create "web.config"-file? Its purpose? I feel as I may have missed this since long time. Maybe someone who understands can point me to relevant info.
(I have since long time an .htaccess-file, so that message I understand.)

[sozzled]

@hehemrin: you don't need web.config if you use .htaccess. Search the Internet for what web.config is used with.

[tezzerp]

Just updated and got this message
.htaccess & web.config security Update

Since version 3.9.3

Since Joomla 3.9.3, Joomla is shipped with additional security hardenings in the default htaccess.txt and web.config.txt files. These hardenings disable the so called MIME-type sniffing feature in webbrowsers. The sniffing leads to specific attack vectors, where scripts in normally harmless file formats (i.e. images) will be executed, leading to Cross-Site-Scripting vulnerabilities.

The security teams recommends to manually apply the necessary changes to existing .htaccess or web.config files, as those files can not be updated automatically.

Changes for .htaccess
Add the following lines before "## Mod_rewrite in use.":

<IfModule mod_headers.c>
Header always set X-Content-Type-Options "nosniff"
</IfModule>

Changes for web.config
Add the following lines right after "</rewrite>":

<httpProtocol>
<customHeaders>
<add name="X-Content-Type-Options" value="nosniff" />
</customHeaders>
</httpProtocol>


Presumably this could be quite a number of files, is there an easy way?
Thanks
Terry

Now checked I have about 25 of each , so thats 50 in total. Surely there is an easy way?

[Per Yngve Berg]

Now checked I have about 25 of each , so thats 50 in total. Surely there is an easy way?

Your server uses one of the files, not both.

Apache: .htaccess
IIS: web.config
Nginx: nginx.conf

[sozzled]

@tezzerp : the recommended changes should take less than 30 seconds to make (if people want to make them) but, first of all, let's get a few facts sorted out:

1) not everyone uses a .htaccess or web.config file
2) .htaccess files are used on Apache webservers
3) web.config files are used on IIS servers
4) if you're running your website on an Apache webserver then you do not need a web.config file
5) if you're running your website on an IIS webserver then you do not need a .htaccess file
6) if you are running your website on a Nginx webserver then you cannot use .htaccess or web.config anyway
7) if you do not know what .htaccess, web.config or nginx.conf files are used for then you should learn
8) if you want to prevent potential cross-site-scripting vulnerabilities via X-Content-Type-Options then you should do something; if you don't want to prevent XSS vulnerabilities via X-Content-Type-Options security headers the you should do nothing
9) if all of this sounds too difficult then you should probably spend a few dollars and get someone to do a security audit on your website
10) if you don't want to spend a few dollars to employ someone to do the work for you then that's OK but that doesn't mean you have to complain that you have 50 websites and it's taking you more than one hour to do the job
11) if you don't agree with any of points 1-11 above that's OK, too. I respect your choice to disagree
12) the above list is not a complete list of all the facts; there may be others
13) the above list may not be factual; it may contain the personal opinions of the author
14) making these changes requires the following tools (a) a text editor, (b) file-transfer software, (c) a good eye and a steady hand, and (d) some intelligence to co-ordinate all of (a), (b) and (c)
15) not everyone can read English
16) no-one pays any attention to the things I write on the forum, anyway

And, lastly ... some things are easy for some people and they're not easy for others.

[trevbennett]

I just tried (twice) to upgrade from J 3.9.2 to 3.9.3 using Joomla update and it hangs showing
Updating your Joomla files. Please wait ...
Percent complete
Bytes read
Bytes extracted
Files extracted
- never goes anywhere?

[hehemrin]

Thanks sozzled and Per Yngve Berg, now it's clear to me I don't need to bother about web.config. When I search on internet, it is relatively easy to find info about .htaccess (incl from my web hotel), but more difficult to find info about web.config, or their differences. Good we have a Joomla Forum!

When it comes to update the file; for me it was very easy: I logon to the Web hotel Control Panel (CP), (ie not Joomla CP), open CP File Manager and open the .htaccess in CP Text editor, edit, Save and Done. The instruction in the Joomla After-Installation message is very precise and accurate how the file is edited.

[sozzled]

I just tried (twice) to upgrade from J 3.9.2 to 3.9.3 using Joomla update and it hangs ...

This may happen to one or two people and it's happened before (with one or two people) with other Joomla updates. There are usually specific issues involved.

This is not a "problem solving" thread for specific problems with individual users. We have other places where people can seek help with their unique problems.

We cannot resolve your problem in this discussion topic. I suggest that you start a new discussion topic with the subject "Updating to J! 3.9.3 hangs", repeat what you wrote here (in this topic) and use the Forum Post Assistant tool to give us information about your particular environment. Thanks.

[tezzerp]

@tezzerp : the recommended changes should take less than 30 seconds to make (if people want to make them) but, first of all, let's get a few facts sorted out:

1) not everyone uses a .htaccess or web.config file
2) .htaccess files are used on Apache webservers
3) web.config files are used on IIS servers
4) if you're running your website on an Apache webserver then you do not need a web.config file
5) if you're running your website on an IIS webserver then you do not need a .htaccess file
6) if you are running your website on a Nginx webserver then you cannot use .htaccess or web.config anyway
7) if you do not know what .htaccess, web.config or nginx.conf files are used for then you should learn
if you want to prevent potential cross-site-scripting vulnerabilities via X-Content-Type-Options then you should do something; if you don't want to prevent XSS vulnerabilities via X-Content-Type-Options security headers the you should do nothing
9) if all of this sounds too difficult then you should probably spend a few dollars and get someone to do a security audit on your website
10) if you don't want to spend a few dollars to employ someone to do the work for you then that's OK but that doesn't mean you have to complain that you have 50 websites and it's taking you more than one hour to do the job
11) if you don't agree with any of points 1-11 above that's OK, too. I respect your choice to disagree
12) the above list is not a complete list of all the facts; there may be others
13) the above list may not be factual; it may contain the personal opinions of the author
14) making these changes requires the following tools (a) a text editor, (b) file-transfer software, (c) a good eye and a steady hand, and (d) some intelligence to co-ordinate all of (a), (b) and (c)
15) not everyone can read English
16) no-one pays any attention to the things I write on the forum, anyway

And, lastly ... some things are easy for some people and they're not easy for others.

OK I did a search in Cpanel File Manager and each (!) came up with 25 locations.
Can someone please confirm exactly where these files that have to be altered are located in a typical Joomla installation on an Apache Webserver.
Thanks
Terry

[sozzled]

@tezzerp: perhaps you should start a new discussion topic?

If you are using an Apache webserver then, for each website that you are hosting on that server, you may want to make one change for each website. The question is, how many websites are you hosting on your web server? Then we may be able to answer the question. It would be better, however, to create a new discussion topic about your problems.

It's a pretty simple question, isn't it: "How many websites does someone manage on a web server?" It shouldn't really take a day to answer the question. If the person doesn't know how many websites they're managing on a web server then I don't know how we can help someone like that.

[tezzerp]

@tezzerp: perhaps you should start a new discussion topic?

If you are using an Apache webserver then, for each website that you are hosting on that server, you may want to make one change for each website. The question is, how many websites are you hosting on your web server? Then we may be able to answer the question. It would be better, however, to create a new discussion topic about your problems.

It's a pretty simple question, isn't it: "How many websites does someone manage on a web server?" It shouldn't really take a day to answer the question. If the person doesn't know how many websites they're managing on a web server then I don't know how we can help someone like that.

I did and it got moved to this one.
I have one site only. I searched on Cpanel in my one site and it was shown to be in 25 locations within the Joomla installation. Which one do I change or do I have to do all of them?

[sozzled]

@tezzerp: if you have one website (on an Apache webserver) then you need to modify one file. The file is called .htaccess. The .htaccess file resides in the folder where you have the configuration.php file.

If you do not have a .htaccess then you do not need to worry about anything.

I don't understand the "25 locations within the Joomla installation". Please explain what these 25 locations are (or give examples of, say, five of them).

I'm surprised that your problem was moved into this discussion topic. This is a general discussion about the release of J! 3.9.3. Specific problems (affecting one or two people) should be discussed in separate forum topics.

I do not have the problem of "25 locations" within the one J! website, sorry.

[tezzerp]

Thank you for bearing with me. Yes I had only one txt file but many .htaccess files
I have now edited the txt file as required
Sorry to be a numpty
Terry