Joomla! 1.5.20 Exploit, Temporary Fix and Tracker Item
Today, an exploit on Joomla! 1.5.20 was published by the YGN Ethical Hacker Group. Jeff Channell (who you know as a security expert) saw the report and got the word out today. (Thanks very much, Jeff.)
Klas figured out how to reproduce the problem and a temporary fix was provided by Nicholas and Ercan (tested by Klas, Marijke, Matt, and myself). The following can be used until the 1.5.21 release.
In libraries/joomla/environment/request.php after line 525 add:
$failed |= (strstr(urldecode($key), '<') !== false);
The YGN Ethical Hacker Group published the vulnerability only after not being able to get attention on problem. In this forum post, they Indicated they had tried unsuccessfully several times to get the project's attention and said that they would publish the vulnerability as a result.
An Official Fix is coming!
Sam Moffatt and Andrew Eddie are now working on the issue, along with members of the JSST. Sam created a Tracker Item and is looking for testers. The fix provided by Nicholas and Ercan essentially trapped the bad URL and stopped the application. The project appears to be taking a different approach (many ways to skin a cat) and have called for help testing to ensure extensions are not broken. Please take time to review if you can.
Thanks to all for working on this on behalf of our Joomla! community. I urge the Joomla! project to invite Ercan, Nicholas, and Jeff into the JSST. They would be welcome resources to our overworked project team.
Klas figured out how to reproduce the problem and a temporary fix was provided by Nicholas and Ercan (tested by Klas, Marijke, Matt, and myself). The following can be used until the 1.5.21 release.
In libraries/joomla/environment/request.php after line 525 add:
$failed |= (strstr(urldecode($key), '<') !== false);
The YGN Ethical Hacker Group published the vulnerability only after not being able to get attention on problem. In this forum post, they Indicated they had tried unsuccessfully several times to get the project's attention and said that they would publish the vulnerability as a result.
An Official Fix is coming!
Sam Moffatt and Andrew Eddie are now working on the issue, along with members of the JSST. Sam created a Tracker Item and is looking for testers. The fix provided by Nicholas and Ercan essentially trapped the bad URL and stopped the application. The project appears to be taking a different approach (many ways to skin a cat) and have called for help testing to ensure extensions are not broken. Please take time to review if you can.
Thanks to all for working on this on behalf of our Joomla! community. I urge the Joomla! project to invite Ercan, Nicholas, and Jeff into the JSST. They would be welcome resources to our overworked project team.
Views: 3056
Tags: Joomla! 1.5.20, security
-
Comment by Amy Stephen on October 7, 2010 at 9:30pm
-
Testing shows this problem goes back to Joomla! 1.5.0
-
Comment by Marcos Peebles on October 8, 2010 at 4:18am -
Thanks Amy, Klas, Marijke, Ercan, Matt and Nikos!
Should have asked the PR team to deal with that *grin* --> ok, I'm out ;-)
-
Comment by Daniel Dimitrov on October 8, 2010 at 8:02am -
Hey Amy,
$failed |= (strstr(urldecode($key), '<') !== false);
what does |= syntax means???
I guess you mistyped it and ment:
$failed = (strstr(urldecode($key), '<') !== false);
-
-
Daniel - that is the first time I have seen that syntax, too, but it is correct (and it does work.)
Used pastebin to post the method with Nicholas and Ercan's fix as line 11.
The project is looking for help testing the patch that is intended for 1.5.21, so please check that out, too.
Thanks again to the community for responding in such a proactive way. Remarkable people who take their roles very seriously. Proud to be associated with you. Go Joomla!
-
Comment by Robert Deutz on October 8, 2010 at 9:38am
-
it's the short version of $failed = $failed | (strstr(urldecode($key), '<') !== false);
I really don't like the short version, I think it doesn't helps to understands what's going on.
-
-
Folks -
The project has a test package and patch available now. Please use it since we need to test what will ultimately be provided in 1.5.21.
Thanks to all for your efforts.
-
-
Joomla! 1.5.21 is released. Thanks to the Joomla! project for the speedy turn around on a patch and release.
Thanks so very much to the Joomla! community for caring about this issue and helping reproduce the problem (thanks Klas!), create a fix (Nicholas and Ercan - you rock!), and get information out on this. I'm very proud of you guys - you respond like a working community.
I want to thank the YGN Ethical Hacker Group for the report. In the future, if there is a problem connecting with the Joomla! project on a potential security issue, please free to leave a message here with us at All Together, As A Whole. We will be more than happy to help try and get proper attention on these problems. We very much appreciate your work.
-
Comment by John Messingham on October 9, 2010 at 7:33am -
Am I missing something or is this fix not included in the update packages?
-
Comment by Brian "Sully" Sullivan on October 9, 2010 at 8:10am -
Hi Amy,
This is from CHANGELOG.PHP
-------------------- 1.5.21 Stable Release [08-October-2010] ------------------
-------------------- 1.5.20 Stable Release [18-July-2010] ------------------
-------------------- 1.5.19 Stable Release [15-July-2010] ------------------
I'm curious if you know whether a patch for broken URLs to J.org in demo content for Admin made it into this release.
-
Comment by Brian "Sully" Sullivan on October 9, 2010 at 9:51am
-
... nope.
© 2012 Created by Amy Stephen.
You need to be a member of All Together, As A Whole to add comments!
Join All Together, As A Whole