|
|
|
security update manual setup from cb 1.0 rc2
|
|
Date: 2006/08/10 22:26
|
By: pages
|
Status: 
|
|
|
Karma: 0
|
|
Fresh Joomlapolitan
| Posts: 1 |   |
|
|
Hi,
I am implementing the security update manually (expert setup)
I have cb 1.0 rc2 currently
i am at part b below:
Update from CB 1.0 RC2 to 1.0.1 *ONLY*:
b) unzip the packages and overwrite corresponding CB 1.0 RC2 files
In my modules folder i have the mod_cbloginrc2 php and xmlfiles as well as the folder modcbloginrc2 (with the mail and users gifs inside).
Your update includes modcblogin php and xml files and and a mod_cblogin folder, so it will not overwrite these files should i simply delete them?
Thanks.
UPDATE: i UNINSTALLED the rc2 module and INSTALLED the new onem
Post edited by: pages, at: 2006/08/10 16:45
|
|
The administrator has disabled public write access. |
|
 |
|
1.0.1 Update
|
|
Date: 2006/08/10 22:31
|
By: Jesuslavex
|
Status: User
|
|
|
Karma: 1
|
|
Junior Joomlapolitan
| Posts: 29 | |
|
|
I updated my site to 1.0.1
Everything was textbook, it was sweet
Though after the update, my site is crawling, I'm talking 22 seconds to change pages (once the page goes to change, it loads fast). Also, FlashChat is no longer functioning
Any thoughts?
Post edited by: Jesuslavex, at: 2006/08/10 16:32
Post edited by: Jesuslavex, at: 2006/08/10 16:38
|
|
|
The administrator has disabled public write access. |
|
 |
|
Re:1.0.1 Update
|
|
Date: 2006/08/11 03:42
|
By: plavanie
|
Status: User
|
|
|
Karma: 0
|
|
Fresh Joomlapolitan
| Posts: 9 | |
|
|
Before my site was hacked I received the following message from 1and1 Support:
access.log.31.gz:82.78.224.44 - - [05/Aug/2006:14:34:03 -0400] "POST
/components/com_extcalendar/ [EXPLOIT HINTS DETAILS REMOVED BY JOOMLAPOLIS ADMIN FOR SECURITY REASONS]
I have completely removed the Extcal Component, but the website was hacked again.
Can this be due to security hole in CB component? Was it fixed in this release?
[EDITED: EXPLOIT INSTRUCTIONS DETAILS REMOVED]
Post edited by: beat, at: 2006/08/10 23:03
Sincerely,
www.Plavanie.com
info@Plavanie.com
|
|
|
The administrator has disabled public write access. |
|
 |
|
Re:1.0.1 Update
|
|
Date: 2006/08/11 05:00
|
By: beat
|
Status: Admin
|
|
|
Karma: 256
|
|
Admin
| Posts: 4215 | |
|
|
Sorry for late reply, was a long CB night last night, and a long day today...
To reply to the questions in this thread:
- Yes, with PHP setting register_globals OFF, you are safe against the worst vulnerability and type of attack against CB 1.0 RC2 and 1.0 stable. You are also safe against most of the attacks against 3PD components of these last days.
- Yes, for CB 1.0 RC2 and 1.0 stable, all 4 criterias must be met for your site to be at high risk (exploits have unfortunately been reported since yesterday, leeding to to this rush release 1.0.1). Criterias 1 (register_globals OFF) is sufficient to avoid attack (if it has been already off before the attacks, or if you are sure that your site has not gotten hacked files installed). Criteria 2, 3, and 4 are sufficient to protect against the 2 attacks that we have analysed yesterday. They may not be sufficient in themselves for other types of attacks using the vulnerabilities of 1.0 that we have fixed in 1.0.1
- As alternative to immediate update, you can (and should anyway, HIGHLY RECOMMENDED) ask your hoster to turn PHP register_globals to OFF. Today, this obsolete setting doesn't make any sense, anymore and Joomla 1.5 will make it a PREREQUISITE to be installed ! If your hoster doesn't accept to turn this off on request, and has also all 3 other settings bad, you should seriously consider changing hoster, sorry. But you should also by sftp or ssh check all your directories which have write access from web server for hacker files as well in all cases.
- CB 1.0.1 has about 20 other bug corrections (stability work) and a few other minor security enhancements, so if you have PHP register_globals OFF, you can still consider updgrading when you get to it.
- If your site got hacked, you need to reinstall a clean copy, or at least do a complete diff of your installation and your reference backup-copy. Hackers will typically leave backdor php files on your website to get full access to it and to use it for other activities. You WANT to get rid of those files ! Otherwise, your site will be hacked again, even with all security releases installed.
- If your site got hacked through another component, you still need to also update CB to avoid get hacked again (or at least turn these PHP register_globals OFF).
- The pathway works with Joomla's Itemid, seems that Authorbot doesn't generate one, that's why it doesn't display there.
- In manual update you can either replace the mod_cblogin directory or overwrite the files in it (or for an update from 1.0 stable leave it as is as there are no changes in that directory, but there are changes in the login module itself and in the xml file).
- What's these REGISTER_GLOBALS ? :
This is a backwards compatibility setting of PHP: in very old versions of PHP, the parameters sent in the url after the ? e.g. ?item=23 were directly mapped into glabal variables e.g. $item=23; ... ! All PHP versions supported by Joomla 1.0 have separate super-globals for that. and Joomla 1.0 and all Joomla components don't need this old backwards-compatibility setting anymore. It's only a big security concern, so any sensible hoster understanding a minimum of PHP will have no problems to turn regiser_globals OFF either by default or at least for your sites. If they don't, consider continuing living risky or change hoster.
Beat  - Developer on Community Builder core Team
- If you like CB and this forum, you will love Nick's CB 1.2 RC4 reference manual !  : Click here to Get it now
- Would like to help us move faster ? Get it, and/or help us spend more time coding by helping others in this forum, many thanks
|
|
|
The administrator has disabled public write access. |
|
|
|
|
Re:1.0.1 Update
|
|
Date: 2006/08/11 05:29
|
By: theelite
|
Status: User
|
|
|
Karma: 0
|
|
Fresh Joomlapolitan
| Posts: 16 | |
|
|
sorry, ignore the post, figured out my problem.
Post edited by: theelite, at: 2006/08/10 23:42
|
|
|
The administrator has disabled public write access. |
|
|
|
|
Re:Security Release - CB 1.0.1 - RELEASED!
|
|
Date: 2006/08/11 05:48
|
By: bigal0043
|
Status: User
|
|
|
Karma: 0
|
|
Fresh Joomlapolitan
| Posts: 1 | |
|
|
|
Just loaded the update via expert way. No problems at all. Keep up the good work, i can't wait for new modules and cool stuff for this component
|
|
|
The administrator has disabled public write access. |
|
|
