Support

Admin Tools

#26769 Patch for AdminTools of newest security issue from 14.12 maybe for Joomla 2.5.27 available?

Posted in ‘Admin Tools for Joomla! 4 & 5’
This is a public ticket

Everybody will be able to see its contents. Do not include usernames, passwords or any other sensitive information.

Environment Information

Joomla! version
n/a
PHP version
n/a
Admin Tools version
n/a

Latest post by on Thursday, 19 January 2017 17:17 CST

deeno
Dear team, does an old Joomla 2.5.27 with AdminTools 2.6.2 have protection from the latest Joomla security issue reported on 14.12? We have a problem with a certain website of a customer we cannot update, because a custom extension breaks... Any help/info/workaround is greatly appreciated! All best, Konstantinos

nicholas
Akeeba Staff
Manager
No. We have discontinued support for Joomla! 2.5 in February 2015. The Joomla! security issues reported after that (October 2015, December 2015 and December 2016) are not addressed by the old versions of Admin Tools. Moreover, since we have discontinued support, we will not be backporting these features to the old versions.

Joomla! 2.5 has been end of life since December 31st, 2014. If you couldn't afford to upgrade the site in the past two years then maybe it's a site not worth maintaining and protecting. If it was you would have assessed the risk of running outdated software as far more costly than the upgrade and already upgraded the site.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

deeno
thanks for the quick reply. sometimes its unfortunately only in the hand of the customer to decide...

nicholas
Akeeba Staff
Manager
My comment was meant for the client's stance against their site. I know that web professionals are always suggesting an upgrade. We've been there, done that, we know exactly what will happen when the site is not upgraded. Well, you can't fix stubborn clients but you can charge them rush fees when they decide to upgrade way too late for comfort.

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

deeno
thanks for the quick reply. sometimes its unfortunately only in the hand of the customer to decide...
what about J3.4.8? same problem, cant update

nicholas
Akeeba Staff
Manager
You can run Admin Tools 4.0.2 on Joomla! 3.3.0 and later, including Joomla! 3.4.8. Admin Tools 4.0.2 was already preventing against the security issues fixed between November and December 2016.

Please note that the two security fixes in Joomla! 3.6.5 were mostly of the "you can hack yourself" variety. One bug had to do with the way the internal Joomla! ACL API returns values to third party extensions. That was responsibly reported through the encrypted JSST contact form and fixed by yours truly. It can only affect third party extensions in some rare circumstances.

The other bug was that you could set the Users component's options to set the default User Group to Manager, Administrator or even Super User! That would allow anyone to self register an account and immediately get backend access to your site. That was irresponsibly reported by JoomlaWorks publicly on Twitter and fixed by the JSST. Frankly, a site owner would have to be dumber than Jim Carrey's character in Dumb & Dumber to do that and isn't really a security issue. However, since it was publicly reported the JSST had to fix it and call it a "security issue".

The real problem was what was fixed over a month ago in 3.6.4. That was a nasty issue which could allow an attacker to manipulate the front-end user self-register form to create a privileged account due to the use of some legacy code in Joomla! 3. This is a security issue which probably doesn't affect Joomla! 2.5 but nobody really knows so the security advisory covers every possible Joomla! version where this code might be present: 1.6.0 to 3.6.3 inclusive. That was mostly addressed since Admin Tools 3.8. Admin Tools 4.0.2 added extra protection for another attack vector which we haven't seen in the wild, would be completely impractical (can't be automated). In any case it is a valid attack vector, however improbable, so we are defending against it too. Better be safe than sorry!

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

deeno
great explanation! euxaristw!

nicholas
Akeeba Staff
Manager
You're welcome :)

Nicholas K. Dionysopoulos

Lead Developer and Director

🇬🇷Greek: native 🇬🇧English: excellent 🇫🇷French: basic • 🕐 My time zone is Europe / Athens
Please keep in mind my timezone and cultural differences when reading my replies. Thank you!

System Task
system
This ticket has been automatically closed. All tickets which have been inactive for a long time are automatically closed. If you believe that this ticket was closed in error, please contact us.

Support Information

Working hours: We are open Monday to Friday, 9am to 7pm Cyprus timezone (EET / EEST). Support is provided by the same developers writing the software, all of which live in Europe. You can still file tickets outside of our working hours, but we cannot respond to them until we're back at the office.

Support policy: We would like to kindly inform you that when using our support you have already agreed to the Support Policy which is part of our Terms of Service. Thank you for your understanding and for helping us help you!