Welcome to WebmasterWorld Guest from 54.159.19.75

Forum Moderators: ergophobe

Message Too Old, No Replies

Joomla update to address High Level Security Issue

     
4:25 pm on Aug 13, 2008 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8139
votes: 103


The Joomla! community is pleased to announce the immediate availability of Joomla! 1.5.6 [Vusani]. This is a quick turnaround security release to address a high level security issue and it is recommended all users upgrade immediately.

[joomla.org...]

4:28 pm on Aug 13, 2008 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8139
votes: 103


A little more info

A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, the only way to completely rectify the issue is to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file).

(from Joomla! Developer [developer.joomla.org])

4:32 pm on Aug 13, 2008 (gmt 0)

Full Member from US 

10+ Year Member

joined:Jan 25, 2005
posts: 222
votes: 0


Thx for the update...
5:27 pm on Aug 13, 2008 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8139
votes: 103


Cheers. The patch looks real simple if you don't want to do the full upgrade.
2:34 pm on Aug 14, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 8, 2001
posts:766
votes: 0


That first link seems to have been moved, try
[joomla.org...]
2:41 pm on Aug 14, 2008 (gmt 0)

Preferred Member

5+ Year Member

joined:Sept 28, 2007
posts:487
votes: 0


Apparently it does not affect all installations.
All 1.5.x installs prior to and including 1.5.5 are affected.
There is a whole 1.0.X installations that are different.
2:44 pm on Aug 14, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member 10+ Year Member

joined:Nov 8, 2001
posts:766
votes: 0


The 1.5.5-6 process is very simple just doing a patch update. Took around 7 seconds all in all!
2:33 am on Aug 15, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member billys is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:June 1, 2004
posts:3181
votes: 0


>>The 1.5.5-6 process is very simple just doing a patch update. Took around 7 seconds all in all!

I don't want people to be misled about the right amount of time to do an update. Even a simple update should take some thought...

1. Back up all files including your existing joomla installation and database.
2. Copy the existing site to a new location (let's call this a test site) where you're going to apply the patch.
3. Apply the patch to your test site location.
4. Switch from your existing site to the test site and make sure everything is working. (If not, just switch back to the old location.)
5. Once you're totally convinced the new site is working properly backup everything again and delete the old installation.

Skip a step and you're relying on luck. Take these precautions and you're a webmaster.

[edited by: BillyS at 2:33 am (utc) on Aug. 15, 2008]

4:26 pm on Aug 15, 2008 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8139
votes: 103


Not advocating living dangerously, but just FYI this particular patch is only a line or two in a single file. No matter. Upgrade time is always a good occasion for a comprehensive backup.

Of course, your aggressive archiving strategy obviates the need for such measures, right? Right?

12:31 am on Aug 16, 2008 (gmt 0)

Senior Member

WebmasterWorld Senior Member billys is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:June 1, 2004
posts:3181
votes: 0


I see a lot of posts that start with - How can I recover my website. Simple patches are simple, and yes, yes, I agree this is a good time to do a comprehensive backup (I thought that was what I was saying...).
5:24 am on Aug 17, 2008 (gmt 0)

Moderator This Forum

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Apr 25, 2002
posts:8139
votes: 103


I understood what you were saying. I was just saying that knowing that I have a dail DB archive, I will sometimes risk a simple change that does not effect the underlying data (i.e. a small change in one file). I'm not advocating it, but I do it.