homepage Welcome to WebmasterWorld Guest from 54.197.189.108
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Code, Content, and Presentation / Content Management
Forum Library, Charter, Moderators: ergophobe

Content Management Forum

    
Joomla update to address High Level Security Issue
ergophobe




msg:3722161
 4:25 pm on Aug 13, 2008 (gmt 0)

The Joomla! community is pleased to announce the immediate availability of Joomla! 1.5.6 [Vusani]. This is a quick turnaround security release to address a high level security issue and it is recommended all users upgrade immediately.

[joomla.org...]

 

ergophobe




msg:3722163
 4:28 pm on Aug 13, 2008 (gmt 0)

A little more info

A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, the only way to completely rectify the issue is to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file).

(from Joomla! Developer [developer.joomla.org])

wrockca




msg:3722166
 4:32 pm on Aug 13, 2008 (gmt 0)

Thx for the update...

ergophobe




msg:3722222
 5:27 pm on Aug 13, 2008 (gmt 0)

Cheers. The patch looks real simple if you don't want to do the full upgrade.

bateman_ap




msg:3722954
 2:34 pm on Aug 14, 2008 (gmt 0)

That first link seems to have been moved, try
[joomla.org...]

ecmedia




msg:3722956
 2:41 pm on Aug 14, 2008 (gmt 0)

Apparently it does not affect all installations.
All 1.5.x installs prior to and including 1.5.5 are affected.
There is a whole 1.0.X installations that are different.

bateman_ap




msg:3722957
 2:44 pm on Aug 14, 2008 (gmt 0)

The 1.5.5-6 process is very simple just doing a patch update. Took around 7 seconds all in all!

BillyS




msg:3723496
 2:33 am on Aug 15, 2008 (gmt 0)

>>The 1.5.5-6 process is very simple just doing a patch update. Took around 7 seconds all in all!

I don't want people to be misled about the right amount of time to do an update. Even a simple update should take some thought...

1. Back up all files including your existing joomla installation and database.
2. Copy the existing site to a new location (let's call this a test site) where you're going to apply the patch.
3. Apply the patch to your test site location.
4. Switch from your existing site to the test site and make sure everything is working. (If not, just switch back to the old location.)
5. Once you're totally convinced the new site is working properly backup everything again and delete the old installation.

Skip a step and you're relying on luck. Take these precautions and you're a webmaster.

[edited by: BillyS at 2:33 am (utc) on Aug. 15, 2008]

ergophobe




msg:3723904
 4:26 pm on Aug 15, 2008 (gmt 0)

Not advocating living dangerously, but just FYI this particular patch is only a line or two in a single file. No matter. Upgrade time is always a good occasion for a comprehensive backup.

Of course, your aggressive archiving strategy obviates the need for such measures, right? Right?

BillyS




msg:3724187
 12:31 am on Aug 16, 2008 (gmt 0)

I see a lot of posts that start with - How can I recover my website. Simple patches are simple, and yes, yes, I agree this is a good time to do a comprehensive backup (I thought that was what I was saying...).

ergophobe




msg:3724766
 5:24 am on Aug 17, 2008 (gmt 0)

I understood what you were saying. I was just saying that knowing that I have a dail DB archive, I will sometimes risk a simple change that does not effect the underlying data (i.e. a small change in one file). I'm not advocating it, but I do it.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Code, Content, and Presentation / Content Management
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved