 |
|
Re:Security Release - CB 1.0.1 - RELEASED!
|
|
Date: 2006/08/12 11:19
|
By: dpk
|
Status: 
|
|
|
Karma: 2
|
|
Senior Joomlapolitan
| Posts: 86 |   |
|
|
Having register_globals on with a bunch of 3pd add-ons is a big security risk from what I've read. Having it on period seems to have been frowned on for years. Is there any good reason to have it on?
Post edited by: dpk, at: 2006/08/12 05:45
|
|
The administrator has disabled public write access. |
|
 |
|
Re:Security Release - CB 1.0.1 - RELEASED!
|
|
Date: 2006/08/12 15:31
|
By: danserea
|
Status: User
|
|
|
Karma: 0
|
|
Fresh Joomlapolitan
| Posts: 2 | |
|
|
|
Just wanted to drop a note that I used the expert method of updating and it worked perfectly. thanks very much for your quick hard work! Much appreciated.
|
|
|
The administrator has disabled public write access. |
|
|
|
|
Re:Security Release - CB 1.0.1 - RELEASED!
|
|
Date: 2006/08/12 15:33
|
By: dpk
|
Status:
|
|
|
Karma: 2
|
|
Senior Joomlapolitan
| Posts: 86 | |
|
|
same here--just dropped in the new files, and it appears to work OK at first blush.
What are the included bug fixes?
|
|
|
The administrator has disabled public write access. |
|
 |
|
Re:Security Release - CB 1.0.1 - RELEASED!
|
|
Date: 2006/08/12 23:48
|
By: beat
|
Status: Admin
|
|
|
Karma: 256
|
|
Admin
| Posts: 4215 | |
|
|
dpk wrote:
Having register_globals on with a bunch of 3pd add-ons is a big security risk from what I've read. Having it on period seems to have been frowned on for years. Is there any good reason to have it on?<br><br>Post edited by: dpk, at: 2006/08/12 05:45
There is no good reason or excuse to have it on.
It is a compatibility setting for very old PHP code.
Having it ON is just a very large security risk, proven those last weeks with the flow of Internet attacks on Joomla and its 3PD extensions (most succeeded only on sites with that setting to ON. 3PD components started getting attacked probably due to Joomla's raising popularity I guess...and also that Joomla itself got pretty secure by now).
Just switch php register_globals setting to OFF.
or ask your hoster to do it...like *now*.
If you then have very old code not working, just fix it, or update it (it might be worthwile anyway securitywise).
In the future, we will NOT treat vulnerabilities with php register_globals ON as critical ones, like we did it this time.
Even Joomla 1.5 will not allow to run it on such insecure systems.
I hope I made myself understood. 
Post edited by: beat, at: 2006/08/12 17:49
Beat  - Developer on Community Builder core Team
- If you like CB and this forum, you will love Nick's CB 1.2 RC4 reference manual ! : Click here to Get it now
- Would like to help us move faster ? Get it, and/or help us spend more time coding by helping others in this forum, many thanks
|
|
|
The administrator has disabled public write access. |
|
 |
|
Re:Security Release - CB 1.0.1 - RELEASED!
|
|
Date: 2006/08/13 02:02
|
By: crash777
|
Status: User
|
|
|
Karma: 0
|
|
Junior Joomlapolitan
| Posts: 37 | |
|
|
Question.. somewhat related.. maybe...
I am getting a message in my community builder:
"Your version is : 1.0
Latest version :
1.0.1 WARNING: high-risk security vulnerability has been discovered: Please Update ASAP ! More info and security release 1.0.1 available on Joomlapolis and on forge !!!"
I started fresh.. uninstalled all components, modules, etc and removed mysql tables. Then reinstalled.. Should I worry I don't have the newest version? Did I miss something? What is a foolproof way to tell? What checks is CB doing to give me this message?
|
|
|
The administrator has disabled public write access. |
|
|
|
|
Re:Security Release - CB 1.0.1 - RELEASED!
|
|
Date: 2006/08/13 02:23
|
By: dpk
|
Status:
|
|
|
Karma: 2
|
|
Senior Joomlapolitan
| Posts: 86 | |
|
|
Crash--read the rest of this thread. Read the front page of this site. Note the article on the security upgrade.
CB has a config setting that automatically checks for available updates unless you change it to check only when you ask it to.
You probably want to upgrade and review your possible security vulnerabilities.
|
|
|
The administrator has disabled public write access. |
|
|
