- Forums
- Archive
- Important Content
- Community Builder Article Discussions
- Security Release - CB 1.0.1 - RELEASED!
Security Release - CB 1.0.1 - RELEASED!
- pages
- OFFLINE
-
New Member
- Posts: 1
- Thanks: 0
- Karma: 0
17 years 8 months ago #18546
by pages
Replied by pages on topic security update manual setup from cb 1.0 rc2
Hi,
I am implementing the security update manually (expert setup)
I have cb 1.0 rc2 currently
i am at part b below:
Update from CB 1.0 RC2 to 1.0.1 *ONLY*:
b) unzip the packages and overwrite corresponding CB 1.0 RC2 files
In my modules folder i have the mod_cbloginrc2 php and xmlfiles as well as the folder modcbloginrc2 (with the mail and users gifs inside).
Your update includes modcblogin php and xml files and and a mod_cblogin folder, so it will not overwrite these files should i simply delete them?
Thanks.
UPDATE: i UNINSTALLED the rc2 module and INSTALLED the new onem
Post edited by: pages, at: 2006/08/10 16:45
I am implementing the security update manually (expert setup)
I have cb 1.0 rc2 currently
i am at part b below:
Update from CB 1.0 RC2 to 1.0.1 *ONLY*:
b) unzip the packages and overwrite corresponding CB 1.0 RC2 files
In my modules folder i have the mod_cbloginrc2 php and xmlfiles as well as the folder modcbloginrc2 (with the mail and users gifs inside).
Your update includes modcblogin php and xml files and and a mod_cblogin folder, so it will not overwrite these files should i simply delete them?
Thanks.
UPDATE: i UNINSTALLED the rc2 module and INSTALLED the new onem
Post edited by: pages, at: 2006/08/10 16:45
Please Log in to join the conversation.
- Jesuslavex
- OFFLINE
-
Junior Member
- Posts: 29
- Thanks: 0
- Karma: 1
17 years 8 months ago #18548
by Jesuslavex
Replied by Jesuslavex on topic 1.0.1 Update
I updated my site to 1.0.1
Everything was textbook, it was sweet
Though after the update, my site is crawling, I'm talking 22 seconds to change pages (once the page goes to change, it loads fast). Also, FlashChat is no longer functioning
Any thoughts?
Post edited by: Jesuslavex, at: 2006/08/10 16:32
Post edited by: Jesuslavex, at: 2006/08/10 16:38
Everything was textbook, it was sweet
Though after the update, my site is crawling, I'm talking 22 seconds to change pages (once the page goes to change, it loads fast). Also, FlashChat is no longer functioning
Any thoughts?
Post edited by: Jesuslavex, at: 2006/08/10 16:32
Post edited by: Jesuslavex, at: 2006/08/10 16:38
Please Log in to join the conversation.
- plavanie
- OFFLINE
-
New Member
- Posts: 9
- Thanks: 0
- Karma: 0
17 years 8 months ago #18577
by plavanie
Sincerely,
www.Plavanie.com
info@Plavanie.com
Replied by plavanie on topic Re:1.0.1 Update
Before my site was hacked I received the following message from 1and1 Support:
access.log.31.gz:82.78.224.44 - - [05/Aug/2006:14:34:03 -0400] "POST
/components/com_extcalendar/ [EXPLOIT HINTS DETAILS REMOVED BY JOOMLAPOLIS ADMIN FOR SECURITY REASONS]
I have completely removed the Extcal Component, but the website was hacked again.
Can this be due to security hole in CB component? Was it fixed in this release?
[EDITED: EXPLOIT INSTRUCTIONS DETAILS REMOVED]
Post edited by: beat, at: 2006/08/10 23:03
access.log.31.gz:82.78.224.44 - - [05/Aug/2006:14:34:03 -0400] "POST
/components/com_extcalendar/ [EXPLOIT HINTS DETAILS REMOVED BY JOOMLAPOLIS ADMIN FOR SECURITY REASONS]
I have completely removed the Extcal Component, but the website was hacked again.
Can this be due to security hole in CB component? Was it fixed in this release?
[EDITED: EXPLOIT INSTRUCTIONS DETAILS REMOVED]
Post edited by: beat, at: 2006/08/10 23:03
Sincerely,
www.Plavanie.com
info@Plavanie.com
Please Log in to join the conversation.
beat
Team Member- OFFLINE
- Posts: 8175
- Thanks: 528
- Karma: 352
17 years 8 months ago #18580
by beat
Beat - Community Builder Team Member
Before posting on forums: Read FAQ thoroughly -- Help us spend more time coding by helping others in this forum, many thanks
CB links: Our membership - CBSubs - Templates - Hosting - Forge - Send me a Private Message (PM) only for private/confidential info
Replied by beat on topic Re:1.0.1 Update
Sorry for late reply, was a long CB night last night, and a long day today...
To reply to the questions in this thread:
- Yes, with PHP setting register_globals OFF, you are safe against the worst vulnerability and type of attack against CB 1.0 RC2 and 1.0 stable. You are also safe against most of the attacks against 3PD components of these last days.
- Yes, for CB 1.0 RC2 and 1.0 stable, all 4 criterias must be met for your site to be at high risk (exploits have unfortunately been reported since yesterday, leeding to to this rush release 1.0.1). Criterias 1 (register_globals OFF) is sufficient to avoid attack (if it has been already off before the attacks, or if you are sure that your site has not gotten hacked files installed). Criteria 2, 3, and 4 are sufficient to protect against the 2 attacks that we have analysed yesterday. They may not be sufficient in themselves for other types of attacks using the vulnerabilities of 1.0 that we have fixed in 1.0.1
- As alternative to immediate update, you can (and should anyway, HIGHLY RECOMMENDED) ask your hoster to turn PHP register_globals to OFF. Today, this obsolete setting doesn't make any sense, anymore and Joomla 1.5 will make it a PREREQUISITE to be installed ! If your hoster doesn't accept to turn this off on request, and has also all 3 other settings bad, you should seriously consider changing hoster, sorry. But you should also by sftp or ssh check all your directories which have write access from web server for hacker files as well in all cases.
- CB 1.0.1 has about 20 other bug corrections (stability work) and a few other minor security enhancements, so if you have PHP register_globals OFF, you can still consider updgrading when you get to it.
- If your site got hacked, you need to reinstall a clean copy, or at least do a complete diff of your installation and your reference backup-copy. Hackers will typically leave backdor php files on your website to get full access to it and to use it for other activities. You WANT to get rid of those files ! Otherwise, your site will be hacked again, even with all security releases installed.
- If your site got hacked through another component, you still need to also update CB to avoid get hacked again (or at least turn these PHP register_globals OFF).
- The pathway works with Joomla's Itemid, seems that Authorbot doesn't generate one, that's why it doesn't display there.
- In manual update you can either replace the mod_cblogin directory or overwrite the files in it (or for an update from 1.0 stable leave it as is as there are no changes in that directory, but there are changes in the login module itself and in the xml file).
- What's these REGISTER_GLOBALS ? :
This is a backwards compatibility setting of PHP: in very old versions of PHP, the parameters sent in the url after the ? e.g. ?item=23 were directly mapped into glabal variables e.g. $item=23; ... ! All PHP versions supported by Joomla 1.0 have separate super-globals for that. and Joomla 1.0 and all Joomla components don't need this old backwards-compatibility setting anymore. It's only a big security concern, so any sensible hoster understanding a minimum of PHP will have no problems to turn regiser_globals OFF either by default or at least for your sites. If they don't, consider continuing living risky or change hoster.
To reply to the questions in this thread:
- Yes, with PHP setting register_globals OFF, you are safe against the worst vulnerability and type of attack against CB 1.0 RC2 and 1.0 stable. You are also safe against most of the attacks against 3PD components of these last days.
- Yes, for CB 1.0 RC2 and 1.0 stable, all 4 criterias must be met for your site to be at high risk (exploits have unfortunately been reported since yesterday, leeding to to this rush release 1.0.1). Criterias 1 (register_globals OFF) is sufficient to avoid attack (if it has been already off before the attacks, or if you are sure that your site has not gotten hacked files installed). Criteria 2, 3, and 4 are sufficient to protect against the 2 attacks that we have analysed yesterday. They may not be sufficient in themselves for other types of attacks using the vulnerabilities of 1.0 that we have fixed in 1.0.1
- As alternative to immediate update, you can (and should anyway, HIGHLY RECOMMENDED) ask your hoster to turn PHP register_globals to OFF. Today, this obsolete setting doesn't make any sense, anymore and Joomla 1.5 will make it a PREREQUISITE to be installed ! If your hoster doesn't accept to turn this off on request, and has also all 3 other settings bad, you should seriously consider changing hoster, sorry. But you should also by sftp or ssh check all your directories which have write access from web server for hacker files as well in all cases.
- CB 1.0.1 has about 20 other bug corrections (stability work) and a few other minor security enhancements, so if you have PHP register_globals OFF, you can still consider updgrading when you get to it.
- If your site got hacked, you need to reinstall a clean copy, or at least do a complete diff of your installation and your reference backup-copy. Hackers will typically leave backdor php files on your website to get full access to it and to use it for other activities. You WANT to get rid of those files ! Otherwise, your site will be hacked again, even with all security releases installed.
- If your site got hacked through another component, you still need to also update CB to avoid get hacked again (or at least turn these PHP register_globals OFF).
- The pathway works with Joomla's Itemid, seems that Authorbot doesn't generate one, that's why it doesn't display there.
- In manual update you can either replace the mod_cblogin directory or overwrite the files in it (or for an update from 1.0 stable leave it as is as there are no changes in that directory, but there are changes in the login module itself and in the xml file).
- What's these REGISTER_GLOBALS ? :
This is a backwards compatibility setting of PHP: in very old versions of PHP, the parameters sent in the url after the ? e.g. ?item=23 were directly mapped into glabal variables e.g. $item=23; ... ! All PHP versions supported by Joomla 1.0 have separate super-globals for that. and Joomla 1.0 and all Joomla components don't need this old backwards-compatibility setting anymore. It's only a big security concern, so any sensible hoster understanding a minimum of PHP will have no problems to turn regiser_globals OFF either by default or at least for your sites. If they don't, consider continuing living risky or change hoster.
Beat - Community Builder Team Member
Before posting on forums: Read FAQ thoroughly -- Help us spend more time coding by helping others in this forum, many thanks
CB links: Our membership - CBSubs - Templates - Hosting - Forge - Send me a Private Message (PM) only for private/confidential info
Please Log in to join the conversation.
- GUEST
17 years 8 months ago #18582
by theelite
Replied by theelite on topic Re:1.0.1 Update
sorry, ignore the post, figured out my problem.
Post edited by: theelite, at: 2006/08/10 23:42
Post edited by: theelite, at: 2006/08/10 23:42
Please Log in to join the conversation.
- bigal0043
- OFFLINE
-
New Member
- Posts: 1
- Thanks: 0
- Karma: 0
17 years 8 months ago #18585
by bigal0043
Replied by bigal0043 on topic Re:Security Release - CB 1.0.1 - RELEASED!
Just loaded the update via expert way. No problems at all. Keep up the good work, i can't wait for new modules and cool stuff for this componentB)
Please Log in to join the conversation.
Moderators: beat, nant, krileon
- Forums
- Archive
- Important Content
- Community Builder Article Discussions
- Security Release - CB 1.0.1 - RELEASED!
Time to create page: 0.278 seconds
-
You are here:
- Home
- Forums
- Archive
- Important Content
- Community Builder Article Discussions
- Security Release - CB 1.0.1 - RELEASED!