brian.teeman.net: Joomla 1.5.15 released | Joomla GPS - brian.teeman.net
JoeJoomla
· 1 month ago
I wonder how many people are hesitating to start new Joomla! sites in anticipation of a 1.6 release? I'm not waiting for 1.6. The current Joomla! cms is the best system there is out there. Clients don't always care what's under the hood as long as their site does what they need it to do and is secure.
The 'general approach' chosen is to block all xml's. That fix is going to give a lot of trouble for extensions with for example xml based web services. Very drastic if you ask me, especially since we're not trying to solve a real vulnerability, but simply version numbers being exposed. Hiding those version numbers is security by obscurity, and it's not going to stop hackers from exploiting vulnerable extensions.
Mathias
· 1 month ago
The proper way to solve it, is to put all publicly accessible files in /media, as intended, and put denies on /components, /administrator/components etc (or even better allow these folders to be put below root). Then we can also get rid of those horrible _JEXEC checks all over, which are essentially another fix for the same problem.
Static xml that needs to be accessible, can also go to /media, and dynamic xml generated by a component will keep working. Eg This would fail with the current fix JRoute::_('....somestuff&format=xml') --> somestuff/foo.xml
The downside with this approach is that too many 3pds put their assets in components/com_foo/assets instead of the media folder. Putting .htaccess files in each /com_* would be a solution but is far from ideal.
In any case, the current fix only applies to people who read documentation, which we all know practically no one does. If there are no perfect solutions, I'd rather keep the ability to have xml's, than gain some minor perceived security. The issue is highly overrated anyway.
Brian Teeman
· 1 month ago
If you spent any time on black sites you would know that the xml version exposure is one of the major tools in hacker toolkits
I dont care how version exposure is blocked just that it should be.
Klas Berlič, Bzzzz
· 1 month ago
>>"That fix is going to give a lot of trouble for extensions with for example xml based web services"
a) this is why it is commented out by default, users should test before applying it b) the above is false, this will not block any XML services, it blocks just direct access to XML files (XML services and XML files are 2 different things). In fact, the only example of potential truble we could find is sitemap.xml
Robert Deutz
· 1 month ago
if i read the changelog I ask myself: Is Ian the only person working on 1.5 or is he the only one documenting the changes.
I don't like both explanations, I hope anyone has an other explanation
Marijke Stuivenberg
· 1 month ago
Ian is the one documenting the changes, and one of the persons who has commit acces to SVN. The patches he commits had been worked on en tested by a group of people called the bugsquad.
At the end of each releasenotes you'll find their names. If you take a closer look at the trackeritems on the bugtracker of 1.5 you'll find out that there are a lot more people working on 1.5 every day!
AmyStephen
· 1 month ago
Oops! You posted in right before me. Cheers Marijke!
JoeJoomla
· 1 month ago
Ian is amazing and so are all the other active members of the Bug Sqaud. They aren't the only ones who make big contributions but I wanted to say how much I appreciate those guys and girls. Ian is also Canadian. I just thought I would throw that little bit of nationalistic pride in there while I am at it. :-)
AmyStephen
· 1 month ago
Hi Robert -
There are a few individuals, one of which is Ian, also Mark Dexter and Kevin Devine, who have commit access for the Bug Squad.
Anyone can submit a patch, include the reporter. Two Bug Squad members must confirm the patch fixed the problem (and didn't cause other issues.) Once that confirmation occurs, the status of the Issue is updated to Ready to Commit.
On occasion, those with commit access retrieve all the patches on the Tracker marked "Ready to Commit", commit them to 1.5 core, and document the Change Log.
Wilco established this process when he started the Bug Squad. Mark Dexter has added to that initial documentation with IDE Configuration guides for new squad members and explanation of the process, including a 30-minute video. You can find the material on the wiki.
In my opinion, that process is very good. Hat's off to Wilco on getting that rolling and so well documented. Also, much credit to Ian and Mark, they've taken such good care of 1.5 and welcomed new contributors, working very hard to get good information to them.
I recommend a tour of Bug Squad Duty for everyone. Excellent experience.
Amy PS - Are we ready for our First EVA International Joomla! Conference? :)
Klas Berlič, Bzzzz
· 1 month ago
Can you elaborate a little what is that you don't agree with?
AmyStephen
· 1 month ago
Me? I don't disagree - I was explaining to Robert how the Bug Squad is organized and why Ian's name is the only one listed in the Change log. Sorry for the confusion!
Klas Berlič, Bzzzz
· 1 month ago
Something went wrong here..probably me hitting wrong Reply :) I was asking Robert about "I don't like both explanations, I hope anyone has an other explanation"
sammy
· 1 month ago
Guys,
The new .htaccess code
<Files ~ "\.xml$"> Order allow,deny Deny from all Satisfy all </Files>
included in 1.5.15 blocks the sitemap.xml file which many users will use for Google. Could be an idea to write a rule to allow google to crawl the sitemap.xml file or create a new .htaccess file with the above code and upload it to the /administrator/ directory to protect the version number exploit issue. Thanks Sammy
Klas Berlič, Bzzzz
· 1 month ago
<Files sitemap.xml> Allow from all Satisfy all </Files>
Put this after the general rule above.
Mike Feng
· 1 month ago
Hmm how sure are you that this is the last release before 1.6? From different discussions elsewhere and the google groups, I'm under the impression 1.6 won't be officially available within a year.
Brian Teeman
· 1 month ago
Mike - check all my previous Joomla 1.5 release posts. I;ve said the same thing each time ;)
All Comments
gess that trick is over
There was a proposal to selectively block extension xml files, but apparently it was decided against:
>> After a discussion in JBS it has been decided to go forward with more general approach
http://joomlacode.org/gf/project/joomla/tracker... (9th comment)
The 'general approach' chosen is to block all xml's. That fix is going to give a lot of trouble for extensions with for example xml based web services. Very drastic if you ask me, especially since we're not trying to solve a real vulnerability, but simply version numbers being exposed. Hiding those version numbers is security by obscurity, and it's not going to stop hackers from exploiting vulnerable extensions.
Static xml that needs to be accessible, can also go to /media, and dynamic xml generated by a component will keep working. Eg This would fail with the current fix JRoute::_('....somestuff&format=xml') --> somestuff/foo.xml
The downside with this approach is that too many 3pds put their assets in components/com_foo/assets instead of the media folder. Putting .htaccess files in each /com_* would be a solution but is far from ideal.
In any case, the current fix only applies to people who read documentation, which we all know practically no one does. If there are no perfect solutions, I'd rather keep the ability to have xml's, than gain some minor perceived security. The issue is highly overrated anyway.
I dont care how version exposure is blocked just that it should be.
a) this is why it is commented out by default, users should test before applying it
b) the above is false, this will not block any XML services, it blocks just direct access to XML files (XML services and XML files are 2 different things). In fact, the only example of potential truble we could find is sitemap.xml
I don't like both explanations, I hope anyone has an other explanation
The patches he commits had been worked on en tested by a group of people called the bugsquad.
At the end of each releasenotes you'll find their names. If you take a closer look at the trackeritems on the bugtracker of 1.5 you'll find out that there are a lot more people working on 1.5 every day!
There are a few individuals, one of which is Ian, also Mark Dexter and Kevin Devine, who have commit access for the Bug Squad.
Anyone can submit a patch, include the reporter. Two Bug Squad members must confirm the patch fixed the problem (and didn't cause other issues.) Once that confirmation occurs, the status of the Issue is updated to Ready to Commit.
On occasion, those with commit access retrieve all the patches on the Tracker marked "Ready to Commit", commit them to 1.5 core, and document the Change Log.
Wilco established this process when he started the Bug Squad. Mark Dexter has added to that initial documentation with IDE Configuration guides for new squad members and explanation of the process, including a 30-minute video. You can find the material on the wiki.
In my opinion, that process is very good. Hat's off to Wilco on getting that rolling and so well documented. Also, much credit to Ian and Mark, they've taken such good care of 1.5 and welcomed new contributors, working very hard to get good information to them.
I recommend a tour of Bug Squad Duty for everyone. Excellent experience.
Amy
PS - Are we ready for our First EVA International Joomla! Conference? :)
The new .htaccess code
<Files ~ "\.xml$">
Order allow,deny
Deny from all
Satisfy all
</Files>
included in 1.5.15 blocks the sitemap.xml file which many users will use for Google.
Could be an idea to write a rule to allow google to crawl the sitemap.xml file or create a new .htaccess file with the above code and upload it to the /administrator/ directory to protect the version number exploit issue.
Thanks
Sammy
Allow from all
Satisfy all
</Files>
Put this after the general rule above.
thing each time ;)
2009/11/10 Disqus <>