Welcome to WebmasterWorld Guest from 54.221.45.195

Forum Moderators: ergophobe

Message Too Old, No Replies

Joomla update to address High Level Security Issue

     

ergophobe

4:25 pm on Aug 13, 2008 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



The Joomla! community is pleased to announce the immediate availability of Joomla! 1.5.6 [Vusani]. This is a quick turnaround security release to address a high level security issue and it is recommended all users upgrade immediately.

[joomla.org...]

ergophobe

4:28 pm on Aug 13, 2008 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



A little more info

A flaw in the reset token validation mechanism allows for non-validating tokens to be forged. This will allow an unauthenticated, unauthorized user to reset the password of the first enabled user (lowest id). Typically, this is an administrator user. Note, that changing the first users username may lessen the impact of this exploit (since the person who changed the password does not know the login associated with the new password). However, the only way to completely rectify the issue is to upgrade to 1.5.6 (or patch the /components/com_user/models/reset.php file).

(from Joomla! Developer [developer.joomla.org])

wrockca

4:32 pm on Aug 13, 2008 (gmt 0)

10+ Year Member



Thx for the update...

ergophobe

5:27 pm on Aug 13, 2008 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Cheers. The patch looks real simple if you don't want to do the full upgrade.

bateman_ap

2:34 pm on Aug 14, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



That first link seems to have been moved, try
[joomla.org...]

ecmedia

2:41 pm on Aug 14, 2008 (gmt 0)

5+ Year Member



Apparently it does not affect all installations.
All 1.5.x installs prior to and including 1.5.5 are affected.
There is a whole 1.0.X installations that are different.

bateman_ap

2:44 pm on Aug 14, 2008 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member



The 1.5.5-6 process is very simple just doing a patch update. Took around 7 seconds all in all!

BillyS

2:33 am on Aug 15, 2008 (gmt 0)

WebmasterWorld Senior Member billys is a WebmasterWorld Top Contributor of All Time 10+ Year Member



>>The 1.5.5-6 process is very simple just doing a patch update. Took around 7 seconds all in all!

I don't want people to be misled about the right amount of time to do an update. Even a simple update should take some thought...

1. Back up all files including your existing joomla installation and database.
2. Copy the existing site to a new location (let's call this a test site) where you're going to apply the patch.
3. Apply the patch to your test site location.
4. Switch from your existing site to the test site and make sure everything is working. (If not, just switch back to the old location.)
5. Once you're totally convinced the new site is working properly backup everything again and delete the old installation.

Skip a step and you're relying on luck. Take these precautions and you're a webmaster.

[edited by: BillyS at 2:33 am (utc) on Aug. 15, 2008]

ergophobe

4:26 pm on Aug 15, 2008 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Not advocating living dangerously, but just FYI this particular patch is only a line or two in a single file. No matter. Upgrade time is always a good occasion for a comprehensive backup.

Of course, your aggressive archiving strategy obviates the need for such measures, right? Right?

BillyS

12:31 am on Aug 16, 2008 (gmt 0)

WebmasterWorld Senior Member billys is a WebmasterWorld Top Contributor of All Time 10+ Year Member



I see a lot of posts that start with - How can I recover my website. Simple patches are simple, and yes, yes, I agree this is a good time to do a comprehensive backup (I thought that was what I was saying...).

ergophobe

5:24 am on Aug 17, 2008 (gmt 0)

WebmasterWorld Administrator ergophobe is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



I understood what you were saying. I was just saying that knowing that I have a dail DB archive, I will sometimes risk a simple change that does not effect the underlying data (i.e. a small change in one file). I'm not advocating it, but I do it.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month