Serious Joomla security hole

Ray PenalosaIn case you haven’t heard, Joomla versions 2.5.x and 3.1.x have a big security hole that will allow any user who browses your site to upload malicious PHP files regardless of their permission.

Joomla is a Content Management System (CMS) that can be installed on a web site. It isn’t part of your hosting account by default, so if you haven’t installed it, you are not at risk for this particular security issue.

Joomla already has a filtering mechanism to prevent files with certain extensions from being uploaded through the application. However, the bug allows files with a trailing dot ( . ) to bypass the filter mechanism. Therefore, someone can create a file with a .php extension and include a period at the end, and the malicious file will be uploaded, after which the server will process the file as a PHP application. For example, normally Joomla will not allow a file called somefile.php to be uploaded. However, somefile.php. with a trailing dot, can be uploaded to the affected versions.

Versafe, an online fraud protection company, discovered this serious exploit. If your Joomla application becomes ompromised, your application either can become a phishing site, redirecting browsers to a malicious site that can steal personal information or it can become a repository for malware and Trojan programs infecting anyone who calls on that page.

Resolution

To solve this problem you should download the latest version of Joomla, and upgrade to the latest version. If upgrading is not an option for you, you can include a line of code that will automatically strip the trailing dot ( . ) from the file name before upload begins, so the upload cannot bypass the media management filtering mechanism.

The file you will need to modify is the file.php file. The file is located under Libraries/Joomla/FileSystem. Within the function makeSafe, add the line:

// Remove any trailing dots, as those aren’t ever valid file names.

$file = rtrim($file, ‘.’);

If this line already exists under file.php, then the exploit has been closed and your Joomla application should be immune from this security hole.

What DiscountASP is doing

On our end, as of today we have updated our Web App Gallery to the latest version of Joomla that already has this patch. Therefore, if you downloaded and installed your Joomla application through our Web App Gallery today, your Joomla application should be protected from this exploit.

However, this security hole is considered to be a “Zero-day exploit” which means that the vendor of the application was unable to react before millions of Joomla applications became susceptible to the security threat. If your site runs the affected versions of Joomla, the chances that your web application is vulnerable to this threat are high and you should take immediate action.

I also encourage you to read these articles for more details on the Joomla exploit.

http://www.versafe-login.com/?q=versafe-discovers-critical-joomla-exploit

http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=31626

http://www.thewhir.com/web-hosting-news/joomla-users-urged-to-apply-critical-security-patch-to-prevent-malware-phishing

DiscountASP.NET Sponsors Austin Code Camp 2013

Calvin WongAustin Code Camp 2013Austin Code Camp 2013 happens this Saturday, August 17th.

DiscountASP.NET is proud to sponsor this event, now in its 7th year. The event is completely free! So go learn, go mingle!

There will be a ton of great talks. You can get the full schedule here.

Our friend Chander Dhall, who joined us in a recent Google Hangout On Air session, will be giving his presentation on “10 things Every Developer Must Know”. If you missed the Hangout, you can see it here:

[youtube=http://www.youtube.com/watch?v=dDkL9HuegoY&rel=0]

Free ASP.NET 4.5.1 Sandbox Hosting in DiscountASP.NET Labs

Michael OssouThere are only a handful of blog posts that I truly get excited about writing and they are always related to the same thing. The next version of ASP.NET.

It’s that time again and Microsoft recently announced ASP.NET 4.5.1. We all know the release cadences for various products that revolve around ASP.NET are starting to change and come more often, but this is the one everybody waits for.

Well it’s here and we are excited to offer a free Beta sandbox for everyone to try. Most of you know we are a fan of doing these open Beta programs because we want to support the ASP.NET community. So there is no need to wait for the mound of good-ness that is ASP.NET 4.5.1 because we have a Windows 2012 R2 sandbox waiting for you.

To sign up head on over to our DiscountASP.NET Labs Site at http://labs.discountasp.net

You can see the complete feature list in the link above and its a home run. The two things I’m personally most excited about are Async Aware Debugging and App Suspension.

August Updates

Ray HuangWe’ve updated our Web Application Gallery to include the latest version of your favorite Content Management Systems.

Please note that some of the updated versions require that your account be hosted on Windows 2012 and IIS8 which offers the ASP.NET 4.5 Framework in order to run. You can upgrade your account for free in Control Panel.

  • Acquia Drupal 7.22.23
  • BlogEngine.NET 2.8.0.2
  • DotNetNuke 7.1.0 Community Edition
  • Gallery Server Pro 3.0.1
  • Joomla 3.1.1
  • Kentico CMS for ASP.NET 7.11
  • KoobooCMS 4.1.1
  • mediaWiki 1.21.1
  • mojoPortal 2.3.9.7
  • MonoX 4.8.40.4598
  • Moodle 2.5.1
  • nopCommerce 3.10
  • Orchard 1.6.1
  • Umbraco CMS 6.1.3
  • WordPress 3.5.2

Your July SoCal Code Camp Report

Michael OssouWhen I woke up at 5:45 am this past Saturday, I had two thoughts. The first was relief from the fact that I didn’t immediately die from waking up that early. The second was my concern that the light drizzle would affect the SoCal Code Camp attendance.

Well I didn’t die, it didn’t rain, and the devs came out in full force. Over 100 sessions were given. That’s right. Over 100. Every topic relevant to people who craft code was covered. There were some awesome sponsors including some guys from redgate who, incidentally, have an office just a few blocks from us.

SoCalCodeCamp2

If you haven’t attended a code camp or user group meet, you really should. The speakers are fantastic. What really makes these events special though is the attendees. Everyone with an interest in a particular topic huddles together and starts talking.

What makes these conversations so interesting is the fact that no one works for the same company. There is a lot of insight to be gained and shared from these exchanges because everybody comes to the conversation having looked at things through a different lens.

I only managed to attend 3 sessions as my primary purpose for being there was to meet with some of our customers and talk to them. I was also there to answer any questions people may have had about our services.

I really enjoyed all 3 sessions so it’s really hard to pick a stand out, but Chander Dhall‘s “10 things Every Developer Must Know” was fantastic. This isn’t a checklist gimmick, it’s very useful content. If you ever have the opportunity to attend his talk, it’s an absolute must.

I also really enjoyed Daniel Lewis’ introduction to NancyFX. He created a collaborative session with everyone in attendance sharing. Ben Moro from Neudesic also did a fantastic job during his Google Glass & node.js session. It was a lot of fun and great way to end the day.

I’m sorry I couldn’t attend any of the others. Hopefully next time I can and hopefully more people will join us at http://www.socalcodecamp.com

SoCalCodeCamp1

IE MVM – And the Award Goes To…

Calvin WongThe Inland Empire .NET User Group‘s Most Valuable Member Awards Event, held this past July 9th, was a good time!

This was the 6th year the IE User Group recognized the three members who contributed the most to the .NET community. James Johnson, the founder and President of the IE group, put on a great party.

This year’s winners were:

  • Most Valuable Member: Daniel Lewis
  • 1st Runner Up: Ayyappan Nagender
  • 2nd Runner Up: Dustin Davis

Congratulations to the winners! We look forward to continue working with James and supporting the Inland Empire .NET group!

Left to Right: Ayyappan Nagender, James Johnson and Daniel Lewis
Left to Right: Ayyappan Nagender, James Johnson and Daniel Lewis
MVM Daniel Lewis and his Marvel-ous code.
MVM Daniel Lewis and his Marvel-ous code.
William, James' son, performing live music.
William, James’ son, performing live music.

DiscountASP.NET Sponsoring SoCal Code Camp in San Diego

Calvin WongDiscountASP.NET is sponsoring the SoCal Code Camp this coming weekend, July 27th and 28th.

The SoCal .NET group holds three Code Camps every year, one in Fullerton, one in Los Angeles, and this one in San Diego. We love these events and have sponsored them for years now.

Being in the So Cal area ourselves, it gives us the opportunity to attend and meet our customers face to face. This year, Michael Ossou and Takeshi Eto are going to be there! They’ll be introducing developers to our new product, Snapp (now open with free Beta). Be sure to swing by our table to meet them!

SoCalCodeCampIf you’re not going, why not? SoCal Code Camp is a free event where your developer peers present on a range of topics. You’re sure to find many interesting and educational sessions to attend!

Ten years

Michael PhillipsWe don’t always agree on everything around here.

Which is good, because my philosophy has always been; if everyone agrees with you, you might be wrong.

Which brings me to Takeshi’s post,  Ten Years of Innovation and Firsts: Part I. It’s a great post, but I wanted to use a different image…

decade-of-dominance

Just saying.

😉