It has come to our attention that there is a site on the internet that is distributing Joomla’s full version zip files that are modified to add code to allow a hacker to break into your site.
This post is subtitled “How to check your downloaded Zip file is genuine and unmodified“.
Rule number #1: ONLY EVER download from a TRUSTED SOURCE (This is the joomlacode.org site) unless absolutely necessary.
Rule number #2: Check that your downloaded file is unmodified by checking the md5 sum of the file.
The md5 what?
Well check out this page (Click the files tab):
http://joomlacode.org/gf/project/joomla/frs/?action=FrsReleaseView&release_id=8897
You will see the main download Joomla_1.5.8-Stable-Full_Package.zip has a md5 of 36b9c161b46bf973a96201135e933219
We can check this md5 hash in several ways, for example on linux we can type
md5sum Joomla_1.5.8-Stable-Full_Package.zip
which will give us:
36b9c161b46bf973a96201135e933219 Joomla_1.5.8-Stable-Full_Package.zip
We can then compare that output with the md5 hash on the above web page – if they are different, even by only one char, then the zip file you have downloaded has been modified in some way – however little – DO NOT USE it if the md5hash does not match EXACTLY.
There are more secure ways of “signing” package files, with GPG Encryption/Signatures, but the Joomla Project Team are behind the times with GPG and have not yet taken advantage of the same system that linux package maintainers use – GnuPG.
There are many other ways to compare md5 hashs – and some windows applications as well
This begs the question… why would anyone want to download Joomla from anywhere other than JoomlaCode.org?
Sometimes Joomla Code is down – sometimes people find out about Joomla for the first ever time without ever knowing the Official sites exist – and download from other sites.
We also host an unofficial mirror of all downloads at http://mirror.phil-taylor.com and the md5 hashs can be checked on our files too – although, the md5 hashes are hosted at JoomlaCode.org so if that was down it would be impossible to check them anyway
Quick question…I’ve asked on the joomla community forums but got no response:
I can never seem to find the md5 checksums for all of the other latest release upgrade files, such as 1.5.3 to 1.5.8.
That link you sent has extra tabs, and I can’t seem to find that page with extra tabs for all the other Joomla files.
As a result, I’ve been upgrading sites without being able to check the md5 checksums (yee gads!)
I find my way to this page and can’t find the md5 hashes:
http://tinyurl.com/566qj9
Any help wold be greatly appreciated
cheers,
forest
You can find the md5 hashes for the upgrade files on the files tab of this page:
http://joomlacode.org/gf/project/joomla/frs/?action=FrsReleaseView&release_id=8898
Thanks, Phil!
I’ve saved that url, but what irks me is that I still can’t figure out how to get to that page on my own, by navigating to it with available links on the Joomla Code site.
Best wishes,
Forest
from this page:
http://joomlacode.org/gf/project/joomla/frs/
click the entry in the column “Latest Release”
Then click “Files” tab
bingo. Mystery solved.
Thank you, Phil!
forest
Hi Phil,
I believe in a strategy of naming and shaming. If there is a site that wittingly or unwittingly is distributing a modified version of Joomla which can be easily hacked, I believe naming them is only fair. That way, users can know which 3rd party sites CANNOT be trusted. With a strategy of naming and shaming, the site in question would either take it down, or take steps to remove the vulnerability…
David