Slashdot Mirror
Joomla SQL-Injection Flaw Affects Millions of Websites (trustwave.com)
An anonymous reader writes: Joomla has just issued a patch that fixes a SQL-injection vulnerability discovered by a researcher at Trustwave SpiderLabs. The flaw allowed malicious users to extract a browser cookie assigned to a site's administrator, giving them access to restricted parts of the server. The flaw first appeared in Joomla 3.2, released in November, 2013. An estimated 2.8 million websites rely on Joomla. The Joomla team and the researcher who found the flaw recommend an immediate update to version 3.4.5.
Preventing SQL injection attacks is trivially easy with very modest understanding of what you're doing.
Suggesting that they ditch one technology for another as a cure-all makes you part of the problem. Rather than try and understand what is going on, you'd rather have a language and/or framework handed to you that promises to solve everything. It is this mindset that results in pants-on-head stupid bugs to reach production.
It's not easier.
But objectively speaking, bad coders write bad code no matter what kind of database or programming language you give them. They mess up
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
nice, encoding fail. There is a trade-mark character at the end of that post.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
If you want a proper setup it should be nodejs with a websocket handling data flow
A websocket to whom, the client? The client surely is not a javascript-enabled browser, since everyone with a brain in their heads disables that shit on day one.
PHP is unable to broadcast data between clients or to specific clients from another client
??????????????
Do you actually have any idea what you're talking about? This sounds completely out of touch with the web.
Lol, I just love sweeping statements like this, made under "Anonymous Coward", of course.
Just cruising through this digital world at 33 1/3 rpm...
Today I learned that I write more secure code than all of the fucking coders at Joomla put together.
A decent sized company with loads of resources, lots of code reviews, using Agile, Scrum, Waterfall, SuckMyPecker, and (supposedly) staffed with experienced programmers, and they STILL fuck it up.
Just cruising through this digital world at 33 1/3 rpm...
Oh wow! If only you could somehow filter out injection attacks!
I know...if only there was a way. But we all know it's totally impossible to do, so we might as well get used to it.
Just cruising through this digital world at 33 1/3 rpm...
You do know the reasons why PHP CMSes like Wordpress are ridiculously popular is that it is dead easy to find a host that already runs PHP and MySQL right? Most of those installs aren't owned by developers. They're owns by regular people.
Non impediti ratione cogitationus.
Schlitzpunkt
I think you mean Solidusfullstop.
Fine, but in the real world, more often than not you inherit large SQL databases, and programs that are written to use these databases.
Now, are you telling me that you'd want to undo an entire company's database structure over a problem that can be prevented with proper filtering? Note that you're not getting paid any extra to do this, hardly anyone is going to appreciate your effort, and if ANYTHING goes wrong it's YOUR fault.
If you get a chance to build something from scratch, I'm all for a current setup...but in the real world that I live in, you still have to work with SQL databases, and they're perfect;y capable, provided you access them correctly.
Just switch to Plone and sleep easier at night. A little out of date figures, but in the time Joomla had 441 exploits, Plone had 9.
https://plone.org/products/plo...
-Matt
Watch out, maybe his last name is "is".
You most likely don't have the same user base as joints or Wordpress. I'm sure someone would find holes in your code givin enough attention.
What's with all the anonymous wankers beaking off about PHP vs Node, or JavaScript in general, when it's a server-side parsing of input that leads to the vulnerability? WebGoat was written as an on-purpose vulnerable web app for learning on, maybe some of you should download it and Burp or ZAP and do some self-education. OTOH, I'm sure someone would look at WebGoat, and respond with, "OMG, Java is teh suckz!"
PHP has nothing to do with it. PHP is just as secure / insecure as any other language. It's the fact that PHP is easy to learn, easy to use and easy to deploy that attracts many people, including noobs. It's the noobs that cause the problems.
To prove that PHP can be used to create a rock solid and secure website, take a look at the Banshee PHP Content Management Framework. I dare you to try it. You will be suprised by its security, flexibility, easiness and speed.
It doesn't have to be like this. All we need to do is make sure we keep talking.
Not to mention that WordPress is by now probably the most widely-deployed self-updating system short of windows.
Serious security vulnerabilities in core like this (which with WP are now very rare indeed, because WP core developers are competent and serious) get fixed on most users' machines within hours of the fix being published.
There are many, many problems with plugins and themes still, but for the most part these issues would exist with any system architected and developed with community code; WP developers are bearing the brunt of the idea of community code, and doing quite a lot to improve.
Joomla, on the other hand, I have only ever had negative experiences with.
client side:
$('sendButton').on('click',function(){ socket.emit('send message',msg,Dale) });
server side:
socket.on('send message',function(msg,targetUser){
for(var i in sockets){
if(socket.thisuser==targetUser){socket.emit('sent msg',msg);}
}
});
This is all javascript, all of which will not execute because most users do not have such a thing enabled in their browsers. Did you even read my post before you started shooting raw liquid feces all over your screen?
So, does this only work if errors are output to the screen?
Trying to assess the impact to our client sites. We always write errors to file and not to screen.
Whoops, that was me. One side effect of auto-clearing cookies. Anyway.
I switched away from Joomla to WordPress several years ago because hackers kept banging on my virtual doors. I'm looking into switching from WordPress to a static file generator. Can't hack what doesn't have any vulnerabilities.
The bet is on! Bring it on. I double dare you!! And if you're as tough as you sound, in time you will admit you are wrong.
It doesn't have to be like this. All we need to do is make sure we keep talking.
This folks is why, just the other day, I decided to create my magnum opus. I will write, and give away, a CMS - free for the taking, truly libre in every sense of the word. I'm going to do it in uncommented Perl with as few lines as possible.
I expect to be a few months brushing up my skills but, damn it, it's going to be flat text file databases - everywhere. Imma store plain text passwords in plain text files. And I'm going to give it away.
You may think I'm kidding. I'm not. I just really, really, don't like you that much.
"So long and thanks for all the fish."
"...most users do not have such a thing enabled in their browsers."
[[Citation Needed]]
Seriously, back that shit up. You made the claim, show me some evidence. A quick Google (sorry, not my job to prove you right) says that you're full of shit and trying to weasel your way out of being incorrect by telling straight up lies. Pretty much every site that attempts to quantify this seems to indicate you're completely retarded. Try 2-4% of web users browse with JS disabled.
"So long and thanks for all the fish."
These appear to be the types of people who have just a hammer in their toolbox and insist they're able to fix anything with it. They could at least get some duct tape.
If it moves, and it shouldn't, duct tape. If it doesn't move, and it should, hammer. They'd at least broaden their horizons. Me? I can code poorly in a whole bunch of languages.
"So long and thanks for all the fish."
Take a look at the security_audit script. Run it and it will tell you what needs your attention with respect to SQL injection and cross-site scripting.
XSLT prevents XSS, because every output will be escaped by default. Printing output as it is (printing HTML tags unescaped) requires adding the XML parameter 'disable-output-escaping="yes"'. By doing so, you are clearly warned. Fuck it up and it is clearly your own stupid mistake.
SQL injection is prevented the same way. The SQL library won't accept queries with quotes. The security_audit script sees when variables (possible user-input) is used to create a query string. Yes, SQL injection can be done by doing so, but if you chose to ignore the warnings, it's your own fault.
Banshee also has a good session library. Unlike the session handling in many other frameworks, this one works transparent with $_SESSION and stops session hijkacing.
No, there is no reason for me to fork it. The approach is simply different from many other frameworks. Others require to update/patch of a regular basis. In Banshee, the core libraries don't change much. They're safe and good. Just unzip the tarball, remove the default modules you don't need, add your own custom modules and the website is done. Many other frameworks allow you to run many websites with just one CMS installation. That's insane. With Banshee, every website has its own separate codebase. Who cares about a few MB's of harddisk space these days. It's harddisk space vs the certainty that my website remains stable. Updating the core CMS code because one website requires it might break others. Because of that, I happily waste a few MB's on my terrabyte harddisk to gain a lot of certainty and stability.
No, Banshee is not the ultimate solution or the silver bullet. But it is rock solid, fast and proven secure. I've built many websites with it, never needed to update / patch any of them and they all run or ran for many years without any trouble or any hack. And yes, many of them have seen a lot of hack attempts. And that's worth a lot to me. No Wordpress, Drupal or Joomla user can say the same thing.
It doesn't have to be like this. All we need to do is make sure we keep talking.
Woaw, you clearly know what you are talking about. Good arguments too. You must be some Code Writing Guru.
Anyway, just wanted to let you know that all my PHP based websites are running fine for many, many years. Without patching that is. And yes, they've seen a lot of hack attempts. None was successful.
Bye,
A self-trained PHP monkey
It doesn't have to be like this. All we need to do is make sure we keep talking.
any side JS is not much better.
As opposed to all the other-trained monkeys that use whatever wunderscript language their professors adored?
just wanted to let you know that all my PHP based websites are running fine for many, many years. Without patching that is. And yes, they've seen a lot of hack attempts. None was successful.
Same here...like you, I'm a "self-trained PHP monkey".
I run dozens of sites, some going back ~12 years or so. Hackers throw themselves against my sites constantly and none of them have managed to get in or run a successful exploit. Careful coding and rigorous sanitizing of incoming data is really all it takes.
Cheers!
Just cruising through this digital world at 33 1/3 rpm...
Rails is not inherently secure, and insecure Rails apps have definitely been written. Early on, though they professed their expertise, they had to be schooled on the difference between GET and POST and why one should never use GET if the action was not idempotent.
Security can be a function of a language but it doesn't end with the language. Rails has no inherent security, just libraries built with good practice.
Your true colors are showing now. You must realize, as soon as you mention RoR, any real programmer will fall over laughing at you. Nice try kiddo, pretty good troll.
Using a datastore with ZERO recovery logic (innodb) wasn't your first mistake?
You would get an object oriented database (not a particularly good one) if you googled my name with 'database'. but 'no', you had to assume I have no idea.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)