JOOMLA / MAMBO --> Urgent Updates Needed

[chilly]

This is a mandatory update for anyone using ANY previous version of Joomla.  It addresses some pretty major security issues:


All existing Joomla! users MUST UPGRADE to this version, due to several High Level vulnerabilities that affect ALL Previous versions of Joomla!

1.0.10 contains the following important security fixes:

    * 03 High Level Security Fixes
    * 01 Medium Level Security Fixes
    * 05 Low Level security
    * 40+ General bug fixes

If you are using ANY previous version of Joomla!, you need to upgrade to 1.0.10

1.0.10 is available as a Full Package, which contains all Joomla! files and Patch Packages which contain only the files that have been changed by the Stability work conducted from previous Joomla! 1.0.x versions.

-------
edit:  Changed title to reflect Mambo as well. 
Thanks, Jason
-------

[Jason]

Great post.  In fact, I just learned late last night of the Mambo vulnerabilities which I'm sure are parallel with the need for this.

(Current investigation leads us to believe this may be the root of a compromise that led to our phpsuexec implementation last week).

EVERYONE running JOOMLA or MAMBO needs to react immediately.  If you don't patch your installation, the entire server is at risk.

Look for further details from me in this thread later.

[Jason]

Moving to a public board so everyone can see this thread...

[The Librarian]

hello Jason

I am using joomla 1.0.7 which is the stable version.  I didnt upgrade to 1.0.8 because of some issues with orstio's bridge and some other things that wouldnt work/cause problems.

I dont understand if 1.0.7 was the stable version why there is now a problem and we have to move to 1.0.10 (which I didnt even know existed)

Everything on my site is currently working and I am concerned that doing this will cause things to not work again, please advise


and also I dont know how to upgrade as this is the only version of joomla I have ever had

[Jason]

hello Jason

I am using joomla 1.0.7 which is the stable version.  I didnt upgrade to 1.0.8 because of some issues with orstio's bridge and some other things that wouldnt work/cause problems.

I dont understand if 1.0.7 was the stable version why there is now a problem and we have to move to 1.0.10 (which I didnt even know existed)

Everything on my site is currently working and I am concerned that doing this will cause things to not work again, please advise

Hi,

Unfortunately, that's the nature of the Internet and security.  You can read on their website, but there is a vulnerability that allows someone to run whatever they want from your account.  You will need to patch up to the latest version immediately. 

I wish I had better news. 

If you want to post on Joomla's site, you may be able to find out how to manually change the code needed to fix it without upgrading the full Joomla install.

Regards,
Jason

[The Librarian]

ah ok, thanks, I will go look at it 

[The Librarian]

Jason, I looked at the joomla forum and it is full of people saying they are getting errors, cant access, not authorised etc messages after upgrading.

This makes me very nervous about changing anything especially since I dont really know what I am doing

I looked at the download area and there are three options for upgrading from 1.0.7:

Joomla_1.0.7_to_1.0.10-Stable-Patch_Package.tar.bz2      583 KB  06/25/2006 9:19 PM     06/25/2006 9:19 PM

   Joomla_1.0.7_to_1.0.10-Stable-Patch_Package.tar.gz    742 KB    06/25/2006 9:18 PM 06/25/2006 9:18 PM

   Joomla_1.0.7_to_1.0.10-Stable-Patch_Package.zip    0 MB    06/25/2006 9:17 PM    06/25/2006 9:40 PM

I dont know what to do with these or which one to choose or if it is supposed to be all three. 

I also cant do this anytime soon as I am just about to go to the hospital for an appointment and am just waiting for someone to pick me up.

Suggestions/advice welcome meantime 

[Mark]

All those packages are the same they are just different archive formats (.zip, .tar.gz, and .tar.bz2). It would be easiest to download the .zip and manually do the update if you are not too familiar with using the other formats. Also, since this is a MAJOR security fix, I would advise doing it anyway. And if it breaks the bridge then go to Oristo and ask if he is working on a new version. And if it does end up not working, I would suggest you create and upload an index.html file saying your are under maintenance or something while the problem is worked out.

I would say it would probably be better for your website do be down or under maintenance rather than being a security risk if you asked me.

[Jason]

I would say it would probably be better for your website do be down or under maintenance rather than being a security risk if you asked me.

Absolutely.  In fact, at some point I'm going to have to start blocking sites running insecure versions.  In addition to the potential for your site being damaged, this particular issue has a far greater impact at the server level.  In cases like that, the overall server security is priority 1.

[CountryLady]

Thank you Chilly and Jason for alerting us to this.
KP, thanks for stating things so bluntly and accurately.

ELLO and others.... Please follow their suggesting immediately.
The security of MY websites is at risk until you do~!

As responsible website owners/managers, we OWE it to our Host
and the other websites on our shared servers to be knowledgable
enough to work with issues like these. Security issues are NOT new.
This exact same kind of threat happened to php in general a year or
two ago, and ALL sites on shared servers had to upgrade their
php-based forums and other php-based programs or be taken offline
to protect the dozens/hundreds of websites also on the same server.

My suggestion is to email all your members and let them know you
are going offline to PROTECT them and you from hack while you
remedy the issue behind the scenes. BACKUP your entire website
and make a local copy of your forum to fix it on your own computer.

PLEASE -- EVERYONE WITH JOOMLA/MAMBO... don't wait for your
site to have to be taken offline by our Hosting Company. DO THIS NOW~!

Thank you and you're welcome. 

[weekend camper]

 

Upgrade from J1.0.9 causing (on my site) the components to be 404'd ... ie, weblinks, blog, newslinks and even "home" button.

.... researching ....

[Jason]

Upgrade from J1.0.9 causing (on my site) the components to be 404'd ... ie, weblinks, blog, newslinks and even "home" button.

This is a silly question, but I assume you used the 1.0.9 to 1.0.10 package?

[Jason]

I've just done 4 upgrades in under 10 minutes.  I haven't had to do anything other than overwrite files so far.  Of course, they were pretty simple Joomla sites.

[weekend camper]

Upgrade from J1.0.9 causing (on my site) the components to be 404'd ... ie, weblinks, blog, newslinks and even "home" button.

This is a silly question, but I assume you used the 1.0.9 to 1.0.10 package?

Yes, triple checked.  Have now started to file by file use the 1.08--1.10 package in case of 'error'.

I don't get it ... have even made new weblinks and still get

Code Select Expand

The requested URL /frontend/component/option,com_weblinks/catid,2/Itemid,29/ was not found on this server.

Additionally, a 404 Not Found error was encountered while trying to use an ErrorDocument to handle the request.


the good news is that I seem to be the only one with this particular issue.

[Jason]

Wait, are your files properly permissioned?  Are you sure nothing is chmodded above 755?

Email me your ftp and joomla login info if you want me to take a peek.