http://www.securityfocus.com/archive/1/ ... 0/threaded
Say the version joomla 1.0.x no have fixed this security bug, somebody know about that
![Huh ???](./images/smilies/icon_question.gif)
Greetings.
Moderator: General Support Moderators
Curiously enough, there are no other references to CSRF in this forum (by search) and no posts referring to anything like this on the 1.5 security board or here on or around 12/4 when this was supposed to have been reported. The alert referred to in the link above has spread like wildfire all over the Net, but every one of the versions of the notice I've seen are in forum-like areas of security sites and either refer back to the original post on the reporter's website or contain an exact cut and paste of the original alert.tuxsoul wrote: Hi, checking in the securityfocus, see one bug for joomla, can you see here:
http://www.securityfocus.com/archive/1/ ... 0/threaded
Say the version joomla 1.0.x no have fixed this security bug, somebody know about that.
Greetings.
So I looked further in this forum and found http://www.joomla.org/content/view/4335/116/ which shows the 1.5.0 Changelog:I my self tried to check it out..worked it out and via XSS vulnerable page was able to add a superadmin Smoothly! Check it out With LiveHTTPHeader Addon in Mozilla/Firefox installed
There isn't any doubt that a problem was found and fixed, at least in 1.5 RC4.10-Dec-2007 Laurens Vandeput ** Bug Squash Event: Brussels
* SECURITY A5 [HIGH] Critical CSRF allow portal compromise - Administrator components. Thanks to Paul Delbar & Jeroen Loose.
09-Dec-2007 Rob Schley ** Bug Squash Event: SF **
* SECURITY A5 [HIGH] [#8361] Critical CSRF allow portal compromise. Administrator components
09-Dec-2007 Andrew Eddie ** Bug Squash Event from home **
* SECURITY A5 [HIGH] [#8361] Critical CSRF allow portal compromise - admin com_users only
I didn't find any reference to 1.x. I think the claim that it affects every version is a bit wishful, there doesn't seem to be the facts to back that up. If it had been true, and affected versions other than the SVN, then we would surely have been told about it and a patch issued.Submitted By: Wilco Jansen
Adddate: 2007-12-10 15:32:06
30 tasks have been created, and all have been processed. Closing.
reading the wiki about it http://en.wikipedia.org/wiki/Cross-site_request_forgeryPhilTaylor-Prazgod wrote: From what I know of CSRF the vulnerability would require me to be logged in to my joomla admin and to then visit a web page that the hacker had set up.... So if I don't visit any hackers websites I should be fine ;-) ;-)
I believe we had this once before in Mambo days....
Sorry if I gave the impression I was upset.. not the case... but comments like the one above are concerning.. it's scary to think the newer, shinier object might be getting the attention while the tried and true is being kicked to the curb. I'm not saying that's what is happening, don't get me wrong -- but if it did happen it wouldn't be the first time...PhilTaylor-Prazgod wrote:it appears that Joomla 1.5 development has taken the rush off fixing Joomla 1.0.13
Would you please clarify this last bit? I want to make sure I understand what you're saying.PhilTaylor-Prazgod wrote: and if you allow users to modify your site's frontend, be careful not to surf your frontend as well while logged in.
musiczineguy wrote:Sorry if I gave the impression I was upset.. not the case... but comments like the one above are concerning.. it's scary to think the newer, shinier object might be getting the attention while the tried and true is being kicked to the curb. I'm not saying that's what is happening, don't get me wrong -- but if it did happen it wouldn't be the first time...PhilTaylor-Prazgod wrote:it appears that Joomla 1.5 development has taken the rush off fixing Joomla 1.0.13
It was also said somewhere else, although I cannot find it now, that Joomla 1.0.13 would be the last version of Joomla 1.0.xhttp://dev.joomla.org/content/blogcategory/21/86/ wrote:Joomla! 1.0.12 is intended to be the last Stability Release in the 1.0.x series.
If you allow users to change any html of your site (for example to type the ) then in theory a bad user could embed a bad link and when you view that page the hidden [BAD CODE] triggers a series of [THINGS] that does [BAD] things to your site..Would you please clarify this last bit? I want to make sure I understand what you're saying.PhilTaylor-Prazgod wrote: and if you allow users to modify your site's frontend, be careful not to surf your frontend as well while logged in.
Thanks and you're right.. cooler heads will definitely prevail in this situation!![]()
True true, my mistake sorry.Zinho - Please note I am not a core developer of Joomla - I never have said I was - but I am someone with a lot of experience here in Joomla/Mambo land.
Understood, but considering there is no stable release of 1.5, hopefully this type of a situation warrants a security patch at the least.PhilTaylor-Prazgod wrote: It was also said somewhere else, although I cannot find it now, that Joomla 1.0.13 would be the last version of Joomla 1.0.x
Yes, [THINGS] and [BAD CODE] are perfectly fine for me as I now understand where you're coming from and don't need to know the details, was just looking for direction. Thanks!PhilTaylor-Prazgod wrote: If you allow users to change any html of your site (for example to type the ) then in theory a bad user could embed a bad link and when you view that page the hidden [BAD CODE] triggers a series of [THINGS] that does [BAD] things to your site..
[THINGS] in square brackets are an attempt to keep the finer details secret at this time - all these things can be found out with a little research.
No.vscribe wrote: Phil
Do you think you could provide a 1.0.12 for those folks who can't upgrade (yet) to 1.0.13 due to extension issues?
Having everyone upgrade immediately to 1.0.13/.14 is not much better than upgrading to 1.5 RC4. As has been noted many times on these forums, 1.0.13 has many bugs. Do these bugs outweigh the security enhancements gained in 1.0.13 (which were described as 'low-risk security fixes' in the 1.0.13 release announcement). Seems like we need a little support here for the popular versions preceeding 1.0.13.musiczineguy wrote: The suggestion that tens of thousands of PRODUCTION web sites go from a stable version of Joomla to a release candidate is ridiculous and not an acceptable answer! If this issue is as catastrophic in the 1.0.x code as is being touted, then it needs to be addressed and taken care of in the 1.0.x code as well as in the RC code.
remember - there is no such thing as an UPGRADE from Joomla 1.0.x to Joomla 1.5.x - it is a migration and a whole new way of doing things....vdrover wrote:Having everyone upgrade immediately to 1.0.13/.14 is not much better than upgrading to 1.5 RC4. As has been noted many times on these forums, 1.0.13 has many bugs. Do these bugs outweigh the security enhancements gained in 1.0.13 (which were described as 'low-risk security fixes' in the 1.0.13 release announcement). Seems like we need a little support here for the popular versions preceeding 1.0.13.musiczineguy wrote: The suggestion that tens of thousands of PRODUCTION web sites go from a stable version of Joomla to a release candidate is ridiculous and not an acceptable answer! If this issue is as catastrophic in the 1.0.x code as is being touted, then it needs to be addressed and taken care of in the 1.0.x code as well as in the RC code.
I know this thread is being closly monitored by several popular community members - this issue should be addressed NOW and not in weeks!While I appreciate that this touches many files, why does that take weeks when it only took 4 days to patch Joomla 1.5 ?
There are a lot of people (Developers with lots of experience) that are concerned about this, and willing to help, and also to get the other major issues in Joomla 1.0.13 fixed as well - such as the admin task values issue. I don't see why this should take weeks.
The actual work I did took a few hours and can be well tested in a day or two. Waiting weeks just to get people on the case is really not appropriate. It has already been 4 weeks since the security vulnerability was reported (on the 4th December)
Kindest regards
Phil.
I quite agree.PhilTaylor-Prazgod wrote: this issue should be addressed NOW and not in weeks!