| 

Joomlapolis! News

Be the first to know our latest news and releases!

twitter

facebook Joomlapolis RSS News Feed

09
Aug
2006

Security Release - CB 1.0.1 - RELEASED!

Written by Nick A.

Update 2: ERRATA: All sites should either update to CB 1.0.1 or correct a Joomla setting !
Just when you thought you were safe with PHP register_globals OFF ... NO! ... A post less than an hour ago brought to our attention that Joomla 1.0.10 still emulates register_globals ON by default, even if php-setting register_globals is OFF. See the Joomla forum post by Adam (aka Websmurf) for instructions on how to turn it off. So: if you didn't or can't turn that off in that file, you should update Community Builder immediately to security release 1.0.1.
UPDATE 3: Excellent article about website security and Joomla configuration. A must-read !

The following mass email has just been sent (actually in progress) to all Joomlapolitans ...

 

Fellow Community Builder Website Masters,

The CB Core team over at joomlapolis.com has been working hard during the past 48 hours on a security release 1.0.1 of the CB suite following the discovery of a vulnerability present in 1.0 RC2 and 1.0 stable on weakly configured web-servers.

We have decided to release it as a highly-recommended critical security and stability update, as we had one report this morning and another one this afternoon for 2 sites where it got exploited to change files.

Your site needs urgent update to CB 1.0.1 if ALL of these PHP settings are met:

  1. php register_globals set to ON
  2. allow_url_fopen is ON 
  3. no open base directory limitations set 
  4. php code directories have write permissions from web-server process

CB 1.0.1 will be released in the next hours and will be available on http://www.joomlapolis.com and on the Community Builder project area on forge.joomla.org.

Everyone is urged to upgrade asap, a REAME file is included in the release as usual.

Sites with the settings above are in danger.

If you want to stop receiving future messages of this type just visit your contact info tab on your joomlapolis profile and click on the "Don't email me critical vulnerability fixes" checkbox.

Thank you,

The CB Team on Joomlapolis.com

 

Update 1:
The security release 1.0.1 is now available as package on our project area on the forge and in the downloads area of Joomlapolis. If your hosting environment meets all 4 of the above prerequisites you must upgrade immediately! Either way all installations should be upgraded ASAP.

Discuss this article on the forums. (75 posts)

Latest Tweets

  • 02:05 PM May 21 2012
    Much more to come next days, weeks, months from #jab12. It was a mutually #inspiring event: most things just started there #joomla #jos
  • 12:05 AM May 21 2012
    #jab12 is a HUGE #positive success! Thanks to each participant+organiser, @brianteeman @rdeutz @vdrover @gnomeontherun #joomla #jos #share
  • 01:05 PM May 20 2012
    CB 2.0: A new way to build web apps: 2nd #JAB12 Lightning talk Live video streaming starts in 10 min: http://t.co/9PvOzLnS #joomla #jos
  • 12:05 PM May 20 2012
    Must see: "CB 2.0: A new way to build web apps" 2nd #JAB12 Lightning talk! Live video starts in 1 hour: http://t.co/W1i5iIPw #joomla #jos
  • 11:05 AM May 20 2012
    Don't miss them: #JAB12 Lightning talks start in 2 hours with live video streaming: http://t.co/J8qvNhSd #joomla #jos
  • 10:05 AM May 20 2012
    Sorry, in 3:20 hours!
  • 10:05 AM May 20 2012
    Must see: "CB 2.0: A new way to build web apps" 2nd #JAB12 Lightning talk! Live video starts in 1 hour: http://t.co/H9v47zF3 #joomla #jos
  • 10:05 AM May 20 2012
    Must see: "CB 2.0: A new way to build web apps" 2nd #JAB12 Lightning talk! Live video streaming 12:50UTC: http://t.co/51G5VZyX #joomla #jos