Joomla 3.6.4 security release - Update Your Sites Immediately

Started by ssc3, October 31, 2016, 10:35:34 AM

Previous topic - Next topic

ssc3

Doesn't seem to be reported elsewhere on this forum, but Joomla 3.6.4 is a critical security release.

This update fixes a bug that allows a user to register on a website with elevated privileges.

Affects Joomla! 3.4.4 through 3.6.3

From the Joomla Website

Joomla! 3.6.4 is now available. This is a security release for the 3.x series of Joomla! which addresses two critical security vulnerabilities and a bug fix for two-factor authentication.

We strongly recommend that you update your sites immediately.

This release only contains the security fixes and bug fix; no other changes have been made compared to the Joomla! 3.6.3 release.

https://www.joomla.org/announcements/release-news/5679-revised-assessment-of-3-6-4-security-release.html
Virtuemart Payment Plugins
https://plugins.online-store.co.uk

jjk

And for those who can't update their Joomla 3.x website immediately to Joomla 3.6.4 for one or the other reason, there is a plugin in the Joomla extension directory which provides a temporary first aid security fix: https://extensions.joomla.org/extensions/extension/access-a-security/account-blocker
Non-English Shops: Are your language files up to date?
http://virtuemart.net/community/translations

jenkinhill

Probably already too late for many. I have been asked to look at 3 sites over the weekend, all three of which had been found to have new administrators registered. There were four new admins on one of the sites, one of whom, according to the access logs, had been busy. Two of the sites were on J3.6.2 and one was on J3.6.3, the owners thought they would "leave it to the weekend" to update. I gave them some advice about security and suggested they revert to whatever backups they had and ensure that J! and all extensions were up to date before going back on-line.

So if you have not yet updated, check the user list!
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

AH



It would be better if joomla did this as it would then benefit all users not just those of VM

Why dont you consider putting this to the joomla team.

Posting advisories on things that are related to operating systems seems somewhat out of scope (Dirty Cow)
Regards
A

Joomla 4.4.5
php 8.1

jenkinhill

Only one of the sites I looked at was a VM site, so I agree that this should be a Joomla facility. All three had received frequent emails from the  System - Joomla! Update Notification plugin, so maybe that plugin could be adapted to also flag up a security warning to the site owner. Not a VM problem, though.
Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Studio 42

Hi all,i can confirm that this is a real big vulnerability !
I had a customer site with 4 new administrator accounts in 1 day !
So use JJK github plugin or update IMMEDIATELY your web sites!!!!

Milbo

lol it is not a vulnerability, it is just an open door. ;-) or at least a leak!

I try to write an analogie. Imagine there is a villa with a firm door in the front, but the gate to the garden is open (opensource). You just go in the garden and there is a door to the basement. The door has an hole for the key, but not lock behind it. So it was enough, just to put in the finger and pull.

and remember when we had the theoretical vulnerability in the same area? We had a shitstorm. We got accused that we would not know how todo it right and all that shit. I told them already that time how to close the vulnerability.

A vulnerability is exactly a security bug, which is usually NOT exploitable. If it is easy to exploite, we call it a leak ! When we had our vulnerability, that you can set the "isAdmin" internal JUser variable to "true" by form, I told them, that this is a architectural security issue. The juser object must be safe by itself. It cant be true that a small error opens the whole installation.

No, they insisted, that it is our error and they have todo nothing against it. One guy wrote at golem (german nerd news magazine), that joomla does not consider unexploitable vulnerabilities as problem. But that is a problem, because that way we never will have a secure system.

We often prevented security leaks of joomla by VM itself. But this time, it was not possible without extra plugin. The devs of community builder provided a plugin, which redirects any registration to CB and so any CB installation with active plugin is secure.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Studio 42

It's a full vulnerability, the hacker can do administrator accounts and change the orders status.
If you prefer, i have do a screenshot before removing the accounts and protected the website.(i don't full manage this site)

Milbo

Patrick, just reread again, your answer makes not really sense.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/

Studio 42

Sorry max, I'm perhaps not the best in english, but i know what is a vulnerability.
Check in all english dictonary, it's exactly one of the definition :  "Susceptible to attack" , "open to assault; difficult to defend:", SO when you say an open door, it's a vulnerability by definition !
and the word mean the same in French, perhaps not in German ?

Jumbo!

"I've found a simple way to self register users to a Joomla website from 1.6 to the latest 3.6, despite the user auto registration feature has been disabled.
This allows an attacker to gain Registered access level (or a different level, based on the configuration) and to see content reserved to manually registered and trusted users."
- http://www.fox.ra.it/technical-articles/how-i-found-a-joomla-vulnerability.html

jenkinhill

Kelvyn
Lowestoft, Suffolk, UK

Retired from forum life November 2023

Please mention your VirtueMart, Joomla and PHP versions when asking a question in this forum

Milbo

Exactly and when you can exploit a vulnerability, it is a leak. The joomla guys see it so, that they have not a problem with a vulnerability as long it cannot be exploited. If someone finds a way to exploit it, regardless how difficult, they handle it as security problem. But they do not handle not exploitable vulnerabilities. But not exploitable vulnerabilities means that the code is just waiting for a change, which makes the vulnerability exploitable.

Patrick, just think about why you say "To exploit a vulnerability"
https://en.wikipedia.org/wiki/Vulnerability_(computing)

As you can see, there are a lot definitions for it.

I just follow this definitions:
ENISA defines vulnerability in[10] as:
The existence of a weakness, design, or implementation error that can lead to an unexpected, undesirable event [G.11] compromising the security of the computer system, network, application, or protocol involved.(ITSEC)
The Open Group defines vulnerability in[11] as:
The probability that threat capability exceeds the ability to resist the threat.

Because when I want to express that the vulnerability is exploitable, I can directly call it a leak. From my viewpoint it is just sloppy talk to mix vulnerability with leak.
Should I fix your bug, please support the VirtueMart project and become a member
______________________________________
Extensions approved by the core team: http://extensions.virtuemart.net/