This is a mandatory update for anyone using ANY previous version of Joomla. It addresses some pretty major security issues:
All existing Joomla! users MUST UPGRADE to this version, due to several High Level vulnerabilities that affect ALL Previous versions of Joomla!
1.0.10 contains the following important security fixes:
* 03 High Level Security Fixes
* 01 Medium Level Security Fixes
* 05 Low Level security
* 40+ General bug fixes
If you are using ANY previous version of Joomla!, you need to upgrade to 1.0.10
1.0.10 is available as a Full Package, which contains all Joomla! files and Patch Packages which contain only the files that have been changed by the Stability work conducted from previous Joomla! 1.0.x versions.
-------
edit: Changed title to reflect Mambo as well.
Thanks, Jason
-------
Great post. In fact, I just learned late last night of the Mambo vulnerabilities which I'm sure are parallel with the need for this.
(Current investigation leads us to believe this may be the root of a compromise that led to our phpsuexec implementation last week).
EVERYONE running JOOMLA or MAMBO needs to react immediately. If you don't patch your installation, the entire server is at risk.
Look for further details from me in this thread later.
Moving to a public board so everyone can see this thread...
hello Jason
I am using joomla 1.0.7 which is the stable version. I didnt upgrade to 1.0.8 because of some issues with orstio's bridge and some other things that wouldnt work/cause problems.
I dont understand if 1.0.7 was the stable version why there is now a problem and we have to move to 1.0.10 (which I didnt even know existed)
Everything on my site is currently working and I am concerned that doing this will cause things to not work again, please advise
and also I dont know how to upgrade as this is the only version of joomla I have ever had :(
Quote from: ello on June 26, 2006, 09:50:23 AM
hello Jason
I am using joomla 1.0.7 which is the stable version. I didnt upgrade to 1.0.8 because of some issues with orstio's bridge and some other things that wouldnt work/cause problems.
I dont understand if 1.0.7 was the stable version why there is now a problem and we have to move to 1.0.10 (which I didnt even know existed)
Everything on my site is currently working and I am concerned that doing this will cause things to not work again, please advise
Hi,
Unfortunately, that's the nature of the Internet and security. You can read on their website, but there is a vulnerability that allows someone to run whatever they want from your account. You will need to patch up to the latest version immediately.
I wish I had better news.
If you want to post on Joomla's site, you may be able to find out how to manually change the code needed to fix it without upgrading the full Joomla install.
Regards,
Jason
ah ok, thanks, I will go look at it :-\
Jason, I looked at the joomla forum and it is full of people saying they are getting errors, cant access, not authorised etc messages after upgrading.
This makes me very nervous about changing anything especially since I dont really know what I am doing
I looked at the download area and there are three options for upgrading from 1.0.7:
Joomla_1.0.7_to_1.0.10-Stable-Patch_Package.tar.bz2 583 KB 06/25/2006 9:19 PM 06/25/2006 9:19 PM
Joomla_1.0.7_to_1.0.10-Stable-Patch_Package.tar.gz 742 KB 06/25/2006 9:18 PM 06/25/2006 9:18 PM
Joomla_1.0.7_to_1.0.10-Stable-Patch_Package.zip 0 MB 06/25/2006 9:17 PM 06/25/2006 9:40 PM
I dont know what to do with these or which one to choose or if it is supposed to be all three. :-\
I also cant do this anytime soon as I am just about to go to the hospital for an appointment and am just waiting for someone to pick me up.
Suggestions/advice welcome meantime :-\
All those packages are the same they are just different archive formats (.zip, .tar.gz, and .tar.bz2). It would be easiest to download the .zip and manually do the update if you are not too familiar with using the other formats. Also, since this is a MAJOR security fix, I would advise doing it anyway. And if it breaks the bridge then go to Oristo and ask if he is working on a new version. And if it does end up not working, I would suggest you create and upload an index.html file saying your are under maintenance or something while the problem is worked out.
I would say it would probably be better for your website do be down or under maintenance rather than being a security risk if you asked me.
Quote from: Killer Possum on June 26, 2006, 10:47:22 AM
I would say it would probably be better for your website do be down or under maintenance rather than being a security risk if you asked me.
Absolutely. In fact, at some point I'm going to have to start blocking sites running insecure versions. In addition to the potential for your site being damaged, this particular issue has a far greater impact at the server level. In cases like that, the overall server security is priority 1.
Thank you Chilly and Jason for alerting us to this.
KP, thanks for stating things so bluntly and accurately.
ELLO and others.... Please follow their suggesting immediately.
The security of MY websites is at risk until you do~!
As responsible website owners/managers, we OWE it to our Host
and the other websites on our shared servers to be knowledgable
enough to work with issues like these. Security issues are NOT new.
This exact same kind of threat happened to php in general a year or
two ago, and ALL sites on shared servers had to upgrade their
php-based forums and other php-based programs or be taken offline
to protect the dozens/hundreds of websites also on the same server.
My suggestion is to email all your members and let them know you
are going offline to PROTECT them and you from hack while you
remedy the issue behind the scenes. BACKUP your entire website
and make a local copy of your forum to fix it on your own computer.
PLEASE -- EVERYONE WITH JOOMLA/MAMBO... don't wait for your
site to have to be taken offline by our Hosting Company. DO THIS NOW~!
Thank you and you're welcome. ;)
:D :D :D
Upgrade from J1.0.9 causing (on my site) the components to be 404'd ... ie, weblinks, blog, newslinks and even "home" button.
.... researching ....
Quote from: weekend camper on June 26, 2006, 06:37:45 PM
Upgrade from J1.0.9 causing (on my site) the components to be 404'd ... ie, weblinks, blog, newslinks and even "home" button.
This is a silly question, but I assume you used the 1.0.9 to 1.0.10 package?
I've just done 4 upgrades in under 10 minutes. I haven't had to do anything other than overwrite files so far. Of course, they were pretty simple Joomla sites.
Quote from: Jason on June 26, 2006, 06:45:20 PM
Quote from: weekend camper on June 26, 2006, 06:37:45 PM
Upgrade from J1.0.9 causing (on my site) the components to be 404'd ... ie, weblinks, blog, newslinks and even "home" button.
This is a silly question, but I assume you used the 1.0.9 to 1.0.10 package?
Yes, triple checked. Have now started to file by file use the 1.08--1.10 package in case of 'error'.
I don't get it ... have even made new weblinks and still get
The requested URL /frontend/component/option,com_weblinks/catid,2/Itemid,29/ was not found on this server.
Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request. the good news is that I seem to be the only one with this particular issue.
Wait, are your files properly permissioned? Are you sure nothing is chmodded above 755?
Email me your ftp and joomla login info if you want me to take a peek.
Jason, is 755 the same as Write - Read - Read?
Quote from: CountryLady on June 26, 2006, 07:35:03 PM
Jason, is 755 the same as Write - Read - Read?
Not exactly, permissions are made up of three digits. Each one specifies the permissions for that particular user set.
So 755 actually is:
7 = Read, Write, Execute (owner) (full permissions)
5 = Read, Execute (group)
5 = Read, Execute (world)
Here's a great example/tutorial: http://cals.arizona.edu/ecat/web/permissions.html
:) Thanks for the info & link.
Quote from: CountryLady on June 26, 2006, 03:23:58 PM
Please follow their suggesting immediately.
The security of MY websites is at risk until you do~!
I appreciate that this is serious but there was nothing I could do yesterday - please also bear in mind the time difference. I have another hospital appointment today and hope to work on this when I get home.
( I did check with orstio yesterday and he says his is working fine)
Thanks for your help
You basically just need to find the patch on their site. There is a different one for each version of Joomla you're running. Download the zipped one.
If you're running 1.0.8, use this: click (http://developer.joomla.org/sf/frs/do/downloadFile/projects.joomla/frs.joomla_1_0.1_0_10/frs5794?dl=1)
If you're running 1.0.9, use this: click (http://developer.joomla.org/sf/frs/do/downloadFile/projects.joomla/frs.joomla_1_0.1_0_10/frs5791?dl=1)
Unzip it on your pc, then upload those files into your account overwriting the ones you had before.
Of course, make sure you BACKUP everything first.
The whole process should take less than 5 minutes.
Let us know if you need further help.
Regards,
Jason
Followup email going to all clients now:
- - - - -
URGENT Mambo / Joomla Announcement
In case you didn't get the email sent to all clients yesterday, an URGENT and IMMEDIATE update is required for all clients running Mambo or Joomla on their accounts.
If you have ever installed an instance of either package and still have it in your account, your immediate attention is required to either remove or update it.
Please read our thread for more details or to ask any questions:
http://www.charlottezweb.com/forums/index.php?topic=468
I'm running reports across all servers and have lists of who is running what versions. I will try to reach out to everyone individually (since I don't think everyone is following thorugh on this). If I don't get a response within the next day or so, I will need to take appropriate action to protect our servers.
Please post on our forum or email me with ANY questions you have on this.
Clients who had their sites designed by me are already fixed.
(Note: The fix typically takes only a few minutes to complete)
Regards,
Jason
I hate to be the barer of bad news but, if this is the second e-mail, I never got the first :-X
Quote from: Killer Possum on June 27, 2006, 10:43:50 AM
I hate to be the barer of bad news but, if this is the second e-mail, I never got the first :-X
I was somewhat wondering about that which is part of the reason for sending a second. The first emaling halted midway. It said it processed all but 4 but I don't know how much I trust that.
Well actually, I didn't say what I was trying to say correctly... I didn't get the second either!
Quote from: Killer Possum on June 27, 2006, 11:20:34 AM
Well actually, I didn't say what I was trying to say correctly... I didn't get the second either!
Can you email me the address you're checking?
I know it went out due to the responses I've received already (from both in fact). Phplist also sent the completion notice so it should've gone to everyone subscribed.
as a quick follow up, my third ftp program still didn't group change folders' CHMOD, I have to go in individually and change them. Ugghh.
The good news is that the site is at least up and running after only changing the index's, both frontend and admin. Will have to keep an eye out for future problems with the CHMODing.
:D
Quote from: weekend camper on June 27, 2006, 12:47:01 PM
as a quick follow up, my third ftp program still didn't group change folders' CHMOD, I have to go in individually and change them. Ugghh.
Yuck. Sounds like you need a better ftp program! :D
I can't seem to reach cpanel, in firefox it says :
Server not found
Firefox can't find the server at cyclone.charlottezweb.com.
:-\
Everything looks good to me. You're using your normal http://www.yoursite.com/cpanel address?
I'm on Cyclone and in cPanel right now.
I'm in now, but I dont know what happened before. IE just refused to display a page and when I tried firefox with http://www.yoursite.com/cpanel it changed it to the charlotteweb address with port but still wouldnt display it.
I am nearly finished upgrading but I sent you an email just now with a quick question, then Im done :)
Ok, I've emailed everyone individually regarding their present installations. (And now I need a nap!)
We've set the servers up to email me summaries each day of what installations exist and what versions they're running. I'm hoping we'll have all of this behind us in a day or two.
I appreciate everyone's speed in addressing this. It's never fun when emergency patches get released but these are pretty significant so I appreciate your prompt attention. You all are the best! 8)
Cheers,
Jason
Quote from: Jason on June 27, 2006, 12:53:28 PM
Quote from: weekend camper on June 27, 2006, 12:47:01 PM
as a quick follow up, my third ftp program still didn't group change folders' CHMOD, I have to go in individually and change them. Ugghh.
Yuck. Sounds like you need a better ftp program! :D
Just FYI that I did find a freebie ftp that allows for recursive chmod'ing on folders --- fire ftp (a plugin for Firefox). Not the greatest UI out there (you will have to spend time getting used to it) but it functions.
http://fireftp.mozdev.org/
Thanks for sharing. That looks pretty neat.
I always fear browser-based ftp usage but that one looks promising.
Meh, that one is OK, I don't like browser-based FTP because you have to leave the browser open. And one of the things I hate about FF is that anything you have open with it (including multiple windows) all close when you use the File > Exit (or Alt-F, X) which I always do. Many a ChatZilla disconnects resulted so I had to download XULRunner (http://developer.mozilla.org/en/docs/XULRunner) so that I could run ChatZilla stand alone. Now if that FTP plug-in worked with XULRunner, then that'd be cool too.