Sorry for late reply, was a long CB night last night, and a long day today...
To reply to the questions in this thread:
- Yes, with PHP setting register_globals OFF, you are safe against the worst vulnerability and type of attack against CB 1.0 RC2 and 1.0 stable. You are also safe against most of the attacks against 3PD components of these last days.
- Yes, for CB 1.0 RC2 and 1.0 stable, all 4 criterias must be met for your site to be at high risk (exploits have unfortunately been reported since yesterday, leeding to to this rush release 1.0.1). Criterias 1 (register_globals OFF) is sufficient to avoid attack (if it has been already off before the attacks, or if you are sure that your site has not gotten hacked files installed). Criteria 2, 3, and 4 are sufficient to protect against the 2 attacks that we have analysed yesterday. They may not be sufficient in themselves for other types of attacks using the vulnerabilities of 1.0 that we have fixed in 1.0.1
- As alternative to immediate update, you can (and should anyway, HIGHLY RECOMMENDED) ask your hoster to turn PHP register_globals to OFF. Today, this obsolete setting doesn't make any sense, anymore and Joomla 1.5 will make it a PREREQUISITE to be installed ! If your hoster doesn't accept to turn this off on request, and has also all 3 other settings bad, you should seriously consider changing hoster, sorry. But you should also by sftp or ssh check all your directories which have write access from web server for hacker files as well in all cases.
- CB 1.0.1 has about 20 other bug corrections (stability work) and a few other minor security enhancements, so if you have PHP register_globals OFF, you can still consider updgrading when you get to it.
- If your site got hacked, you need to reinstall a clean copy, or at least do a complete diff of your installation and your reference backup-copy. Hackers will typically leave backdor php files on your website to get full access to it and to use it for other activities. You WANT to get rid of those files ! Otherwise, your site will be hacked again, even with all security releases installed.
- If your site got hacked through another component, you still need to also update CB to avoid get hacked again (or at least turn these PHP register_globals OFF).
- The pathway works with Joomla's Itemid, seems that Authorbot doesn't generate one, that's why it doesn't display there.
- In manual update you can either replace the mod_cblogin directory or overwrite the files in it (or for an update from 1.0 stable leave it as is as there are no changes in that directory, but there are changes in the login module itself and in the xml file).
- What's these REGISTER_GLOBALS ? :
This is a backwards compatibility setting of PHP: in very old versions of PHP, the parameters sent in the url after the ? e.g. ?item=23 were directly mapped into glabal variables e.g. $item=23; ... ! All PHP versions supported by Joomla 1.0 have separate super-globals for that. and Joomla 1.0 and all Joomla components don't need this old backwards-compatibility setting anymore. It's only a big security concern, so any sensible hoster understanding a minimum of PHP will have no problems to turn regiser_globals OFF either by default or at least for your sites. If they don't, consider continuing living risky or change hoster.