We write this blog post with sadness. On the 4th December 2007 a nice white hat hacker notified the Joomla Core Development team of a CSRF Vulnerability in Joomla 1.0.13 and Joomla 1.5 RC3.There have been many reports of these vulnerabilities around the web since then.

The nature of the vulnerability means that your site cannot be hacked while you sleep (like many of the other types of 3rd party component issues), but requires you (the sites Super Admin) to be logged into Joomla Admin while at the same time surfing sites (maybe even your own) that contain links to [THINGS] that send [NAUGHTY] requests back to your Joomla Admin Console without you knowing. This can lead to complete disaster and even complete server compromise.

The Joomla Developers took only 4 days to fix this in Joomla 1.5 SVN and then shortly after released Joomla 1.5 RC4 stating they had fixed this category A5 Security [High] Vulnerability.

To date, no changes and no attempts by the core development team have been made to the Joomla 1.0.13+ SVN tree to fix this vulnerability in Joomla 1.0.13 Update: Changes are now in SVN for the next version of Joomla 1.0.x - about time!

In an effort to assist them we spent a few hours and backported code from Joomla 1.5 RC4 to Joomla 1.0.13 and made all the changes required to fix Joomla 1.0.13 and make it secure from this type of vulnerability.

Details of this can be found in the following forum thread:

http://forum.joomla.org/index.php/topic,248109.msg1136076.html#msg1136076

I personally emailed all three lead developers with the same information as I published there, including providing the diff/patch files to Joomla 1.0.13. I have been assured that once Joomla 1.5 stable is released time will be spent on fixing this issue in Joomla 1.0.13 (I object to this - why take 4 days to fix unreleased software and over 4 weeks to fix software running on millions of sites already?!?)

Here is my professional advice to help you stay safe from the known and publish vulnerability until the next version of Joomla 1.0.x is released.

The number one bit of advice I can give all site admins at the moment is to - LOGOUT OF YOUR JOOMLA ADMIN as soon as you finish using it, and do not surf around the internet in other tabs/browser windows while administrating your Joomla site, and if you allow users to modify your site’s frontend, be careful not to surf your frontend as well while logged in.

Do not install any 3rd party components/mambots/modules/AND TEMPLATES!!! from untrusted sources, if these components choose they can use this vulnerability to do[BAD] things…

We have already completed some huge new features, and fixed (almost) all reported bugs (reported in the forum).

One of next weeks big announcements will be the first release of Joomla Knowledgebase for Joomla 1.5 which will operate without the need for the Legacy Plugin that Joomla 1.5 has for old components. This is a great testament to the bfFramework that we have developed that allows us to rapidly code once and run that in both versions of Joomla.

We have also ensured/completed development and testing of SEF integration with third party applications such as OpenSEF and sh404SEF as these are quite popular SEF Extensions for Joomla. You are no longer limited to SEF Advance. This is also in the release next week

Joomla Knowledgebase (next release) is now JoomlaFish compatible! Meaning you can now have multiple language translations of your articles and categories. Also better support for non utf-8 encoding in Joomla 1.0.x is built in now - with Joomla 1.5 being all UTF-8 all special chars will display perfectly!

Well just a few of the highlights already complete in the code and being tested over the next few days before release next week

Joomla Knowledgebase for Joomla 1.5 will be a separate zip file from the Joomla 1.0.x version, this is to make it compatible with Joomla 1.5 installer in non legacy mode. Other than the installation XML file the two zip files are (almost) identical (Some things like the free addons might be different between the two to ensure that the new implementation of plugins in Joomla 1.5 is used to best advantage)

Joomla Knowledgebase for Joomla 1.5 will be automatically added to your myJoomla.com account when released.

Remember you can download JoomlaKB updates for free (after initial purchase) from https://secure.myjoomla.com

Have a great weekend - I’m swapping islands and returning home for a few days…

Phil.

We are pleased to announce that Joomla Knowledgebase, our latest Joomla Component has just been released (in beta).

Joomla Knowledgebase is a fully integrated content management system suitable for a wide range of content based solutions. With commenting, file attachements and a speedy xAJAX admin interface, Joomla Knowlesgebase is a must for any serious Joomla website.

Read more about Joomla Knowledgebase on its own site » »

Stop asking me :-) We have tested and are happy that all our components currently work with no issues on the recently released Joomla 1.0.13

Ever since the conception of Mambo/Joomla the passwords for admins and users have been converted into a md5 hash string and stored to the database.

In Joomla 1.0.13 (About time too!) this has changed.  The password is now “salted” and then md5 hashed with the salt, the salt and the password are both stored in the database.

This means that Joomla 1.0.13 breaks backwards compatibility with itself (you can’t downgrade to anything before joomla 1.0.13), and with some extensions like Community Builder and Forum bridges!!

Basically any 3rd Party Component that reads/writes/validates the password of an admin or user will now FAIL in Joomla 1.0.13 unless it is updated to know about the new changes.

The salting of passwords is a good security step - we praise the core team for doing it - HOWEVER no announcement has been made about this, no blog post has been made and users are now in the dark - remember, this means you can NEVER DOWNGRADE your site if you have problems so make sure you MAKE A BACKUP before upgrading to Joomla 1.0.13 - you have now been warned!

This weekend a silent release has been made of Joomla 1.0.13 by the core Joomla team. This release has several security fixes, a regression of the Itemid handling and a MAJOR change in the way passwords are stored in the database (more about this below)

On the same day the core team announced Joomla 1.5 RC1 in a blaze of publicity, Joomla 1.0.13 received no announcement of its own, no fanfare and no blog post.

The Joomla Team have come under quite a lot of critisim from within its own Q&T Testing Team regarding the timing of the release of Joomla 1.0.13, one Quality and Testing team member is quoted as saying that vulnerabilities may still exist in Joomla 1.0.13!!!