August 2008

Site Integrator: Legacy Mode in Joomla! 1.5

What is Legacy Mode and how do you using it?

Written by Andrew Eddie

The Legacy Mode is implemented in Joomla! 1.5 by way of a Plugin (remember, Plugins are the new Mambots) in the System group.

In the Administrator select Extensions -> Plugin Manager from the menu. The fastest way to find it is simply to type legacy in the Filter box and click Go.

Legacy Plugin

By default the Legacy Mode Plugin will not be enabled. Click the red-and-white X to enabled it. You will see in the Toolbar a message stating that Joomla! is now in Legacy Mode.

You actually have to turn Legacy Mode on to be able to install a Joomla! 1.0 Extension. The installer does a version check and if your Extension doesn't have a marker saying it's compatible with version 1.5, it will complain and tell you to turn Legacy Mode on.


8 Votes

40 Comments

Feed

  1. avatar Sava Alexandru makes this comment

    2008-10-21 04:30:04

    Security by obscurity ... this is the Joomla way?? I am really pissed off. My last version (up to date) of joomla was haked again with an approach closed to this (attack was made by an author but by using an entire different approach than that you are referring to)! And you are keep telling us in other articles web hosting companies are to be blamed. Shame on you.

  2. avatar Krisstoffer makes this comment

    2008-10-21 04:58:51

    Based on whats posted across both posts it would appear they made every effort to go through the proper channels but no response appears to have become apparent to them addressing if the issue is indeed a problem or not. If the issue was indeed removed as stated without an explanation i think the community would indeed if such an issue does become a problem within the current or prior versions expect an explanation as to why things appear to be not handled correctly - reviewing the phpBB lot, whom have had more than a fair shares worth of security issues they do comment on every issue presented to them be it a false one or settings dependant you know where you stand with the issue.. if its removed its very hard to accept that it isn't an issue at all..

  3. avatar Krisstoffer makes this comment

    2008-10-21 05:00:10

    While agreed the proper channels should have been chased further, when does one give up on the channels in place when trying to prevent the community from possible exposure to nasty issues..

    If anything it only shows that both 3PD developers and the Core team are not on the same level as well as the JSST is purely commenting on the actual issues (or not and patching them) and dismissing all else with the god ol delete button. Personally as a member of the Joomla! community i find it disheartening that both parties have had a failure in communication and this has escalated into what could end up damaging both parties reputation.

  4. avatar Krisstoffer makes this comment

    2008-10-21 05:00:41

    I have a lot of respect for the party above mentioned they have done a lot for the Joomla! community and a lot for Joomla! itself, i equally while not knowing as in depth anyone from the Joomla! teams(s) have that minimal respect level in place but these things should be resolved promptly, respectfully, transparent and with feedback ideals in place.

    on a side note, the limitation on comments size sucks too :P

  5. avatar brad makes this comment

    2008-10-21 05:18:01

    Sava Alexandru - this may help: http://docs.joomla.org/Security_filters_for_articles

    Security by Obscurity IS NOT security. We know and hold to this belief. If you have found a security issue with Joomla, please report it so it can be patched.

    Doing so is playing your part in the community.
    Thanks.

  6. avatar Mark makes this comment

    2008-10-21 06:07:39

    Sounds like alot of handbag stuff. I think that it should be up to the community to decide if they want to use a third party fix. I think its a shame.

  7. avatar torkil makes this comment

    2008-10-21 07:05:45

    While I agree that bringing up the security vulnerability on their blog is a less than ideal way to report such a threat, I must say that the relationship between this "company" and the Joomla project seems less than friendly right now.

    Will there really come anything good out of openly criticizing one another on your respective blogs like this? While one or both parties may be right in their argumentation, I just think that this is the wrong way to handle things.

    If someone posts a security vulnerability on their blog, contrary to security vulnerability routines, it still will not help anyone to bash one another in public.

  8. avatar Flavio Copes makes this comment

    2008-10-21 07:22:38

    Sounds like a clear lack of communication..

    This patch was in the Joomla! 1.5.8 TODO-list, but they didn't know it and so they acted this way? :O

    Sounds a bit grotesque

  9. avatar Paul Delbar makes this comment

    2008-10-21 08:37:15

    Wow - it probably took longer to write up the post bitching about this initiative than it would have taken to read and process the original signal ... and it IS a big deal. This functionality was added with default settings that are entirely unacceptable, and with hardly a mention of its existence. At what point does one take responsability and stop waiting for the core team to react ?

  10. avatar Allrude makes this comment

    2008-10-21 08:38:42

    mark yore also free to fix your electricity with a none isolated tool, and if everybody does that there will be no community left.

  11. avatar Sami Mattila makes this comment

    2008-10-21 08:56:07

    I can see both sides of the issue. As a Joomla InternetServiceProvider (ISP) I would like to see a way in wich our (ISP's) conserns are being paid attention. Our company does not (as yet) tamper with the original code but I can see that some might take this approach - and possibly leave themselves vulnerable to attacks on massive scale. This is ofcourse not the Joomla Teams responsibility. Perhaps a better way could be created to keep in touch with the ISP's that would make it possible to ease our fears of the worst. And besides, who better to test the upcoming fixes?

    Sami Mattila

  12. avatar John Marrett makes this comment

    2008-10-21 09:16:37

    Thanks for the wonderful article.
    Anthon has done all users a great service by clearly explaining the issues and I like to thank him for it.
    Keep up the good work and users like me ( from all the way in Singapore !) appreciate it a lot.

  13. avatar Tobias makes this comment

    2008-10-21 11:50:24

    @Sava: knowing about another approach but only telling it here in a comment pisses me off. Please submit a tracker item and let the developers correct the issue. You can blame them for the policy, but don't expect them to follow your comment when you don't help them in a constructive way. Shame on you.

  14. avatar amy.stephen makes this comment

    2008-10-21 12:44:59

    If A) you have authors you do not know (and therefore cannot trust) who submit articles to your Web site and B) you do not have Joomla!'s text filtering turned on, then read the link that Brad provided, below, http://docs.joomla.org/Security_filters_for_articles

  15. avatar Nick Kotarski makes this comment

    2008-10-21 13:35:28

    I find it all a bit sad :(

    Surely everyone in the Joomla community wants essentially the same thing: Joomla being as good as it can be and secure too?

    I can't see that having people "shouting" at each other and being kicked off the project for publishing details of a security problem really helps the community that much.

    I suppose it sends a strong message to everyone not to do that but it sounds like they thought that there was a breakdown of communication. This sounds to me like rapped knuckles rather than being cast into the pit.

    Nick

  16. avatar nik c makes this comment

    2008-10-21 21:00:55

    A totally unacceptable blog. I am a JOOMLA user. I set up site and admin them. I want to be told of any security issues that are present, and happily leave it to the dev team to sort out what they tell us and when. With JOOMLA being open source I fully expect not only the core team to be finding bugs and security risks.

    If at this point someone from the JOOMLA core team finds their approach objectionable, wrong or out of place, then the decent way of dealing with this is to say something like: 'Guys, thanks for the blog on your site, but you know what, the issue you raise is being dealt with by the core team in this, that or the other manner, so please update your blog accordingly'

    But the last thing I would expect is a the public flaming the *company* is subjected to, which now is displayed on the FRONT page of the JOOMLA site for ANYone to see. Quite apart from the reputation of the company what really takes a KNOCK here is the reputation of JOOMLA.

    Nik C

  17. avatar elin.waring makes this comment

    2008-10-22 02:23:07

    There seems to be a misunderstanding of what the filter does and what the situation was before it was introduced.

    The TinyMCE editor has its own filtering built into its plugin. You can set prohibited elements and extended valid elements. This is the only filtering of html in content that was in place prior to the inclusion of the filter in the content parameters. By default it only blocks applet.

    end part 1

  18. avatar elin.waring makes this comment

    2008-10-22 02:24:18

    part 2

    The filter feature in question is an added functionality that allows you to make the restriction of html more finely grained than that available via many editors, such as TinyMCE. For example, it allows you to allow
    superadmins to include certain tags while preventing other users from doing so.

    More importantly if you have an editor that does not have filtering options (such as xStandard Lite plugin included in the core) or if you choose to use no editor the filter feature allows you to impose either a black list or a white list for html tags or to allow no html at all. Without the filter, all tags are allowed in those editors.

    Removing the filter options would take you back to the state of having no filtering options. The proposed fix, which is to set an unchangable white list with no list of allowed tags, would mean that users can't use such harmless tags as , and even inside their wysiwyg editors. So the proposed fix would radically change functionality on everyone's sites.

    end part 2

  19. avatar elin.waring makes this comment

    2008-10-22 02:25:25

    part 3

    In making changes, the bug squad strives not to break existing sites or change functionality that people are used to. Therefore by default the new filter was set to leave the editors functioning as they did in earlier 1.5 releases. We do realize the need for SOME default filtering, and will be adjusting the defaults accordingly in 1.5.8, but leaving the configuration option.

    .....

    the harmless tags in part 2 are :
    p, strong and ul (for three simple examples)

  20. avatar Krisstoffer makes this comment

    2008-10-22 02:34:11

    @Elin Waring
    Thats all that needed to be said, someone like yourself taking the time filling in the blanks and assuring the community that a future fix would be put into place, not this pointless attack.. we 'the community' happen to pride ourselves on being one of the friendliest and supportive in the open source world

  21. avatar Andrew Eddie makes this comment

    2008-10-22 03:09:39

    Ok people, we want to get back to business so let me just say this. We are caught between a rock and a hard place. To say nothing means you get to apply a patch that breaks functionality. To say something makes us look like the bad guys. Either way we loose but we err'd on the side of the million or so 1.5 sites out there. It sucks; this should never, ever have happened, especially since the "real" fix is so trivial, but that's the state of it.

  22. avatar Graeme Forrest makes this comment

    2008-10-22 08:32:23

    That rattle's out the pram. I don't think you can justify this kind of blog. You try and 'damn' the company when all they were trying to do was help the community. Perhaps they made a mistake, yes. But does that warrent a blog post like this?

    To me, and I assume a lot of other members of the community comments like this...

    "Generally speaking, people in the community are highly supportive of the Project. Unfortunately, this company isn't one of them (and on multiple occasions this has shown to be true)."

    ...make it look like there's more history to this than just this issue.

    This isn't professional. Sort it out.

  23. avatar Sean Salvadalena makes this comment

    2008-10-22 10:34:15

    I think you all missed the point. When you find a security issue, you need to report it to Joomla directly, to the security team. This exchange is between the person who found it and Joomla, no one else can see it. That way the problem gets fixed properly. This 'company' posted the vulnerability in PUBLIC. This puts everyone who uses Joomla at risk because it is known, regardless of the lack of trust in Joomla to fix the problem. Putting our community at risk warrants this reaction in my view.

  24. avatar Tobias makes this comment

    2008-10-22 20:21:18

    Well, everyone makes mistakes. I personally would like to know what the 'evil' company thinks about this issue... did or does anyone talk with these people? I would like to know how both sides stand to each other. I don't think there's a reason to blame anyone - neither the Joomla team nor the company. This post is probably written in rage, but this post also shows that there exist some philosophy. It is the idea of creating a good platform for many people. I think we should keep issues like this in mind when going forward. But: please let us go forward. It doesn't help anyone complaining about this post or about the company.

  25. avatar Lou Wilson makes this comment

    2008-10-23 08:00:08

    I was considering using Joomla for the club I belong to.
    But after reading this blog I am having second thoughts.

  26. avatar Noel makes this comment

    2008-10-23 15:59:37

    Think for a minute. Smb has found a sec hole in Joomla and shared it with the Joomla team. This team thought not important and made it their last priority. This smb thought this issue needs more attention and contributed his patch to the community. Wait a minute...I would give this dude a trophy, but not a punch in the face!? The core team should have answered on this responsively, offering their patch in the nearest future, but not such act! With this, you make impression that you care more about Joomla's polished image than sec holes and the efforts of the community. This was a big - from your side. Hail to the 3PD. I would apply every patch no matter where it comes from, but I will double check it first.

  27. avatar Tobias makes this comment

    2008-10-24 09:56:22

    @Noel
    You want to always apply patches, but always check them first... hmmm... so you seem to know which areas of Joomla need to be tested, no matter which patch you get? Or do you check every part of Joomla? Wouldn't it be better to let those people check and create the patch who *know* the insides of Joomla? Well, it's up to you what you do with your system.
    You say the Joomla team made the patch a least priority thing... where did you get that information from? I read it like "we didn't see the issue as a crisis". See the difference?
    I don't know how Joomla discussed the issue with the 3PD - you?

    Joomla is "owned" by the core team. The Joomla community gives input to the core team. The core team listens to the community. So, if people of the community don't like the directions where the core team os going, we can discuss it, or we can try to become a core team member. But becoming a member always means that you have to stick to the policies. You can try to change policies, but don't try it with anger...

  28. avatar Alejandro Navarrete makes this comment

    2008-10-24 10:17:36

    I can't find where in the GPL indicates that modified versions must be distributed ONLY in the official site, must be released ONLY by the official team and that violators will be "punished with the full force of our collective disapproval" (that sounds more like proprietary).

    Maybe that does not like us, but the 'evil' company has the legal right to release the patch without prior notification to the core team.

    Just in case somebody worries for "security" more than for freedom:
    Quote:
    Anyone who trades liberty for security deserves neither liberty nor security.--Benjamin Franklin--

  29. avatar elin.waring makes this comment

    2008-10-24 13:28:29

    Part 1

    The last two releases of Joomla!, 1.5.6 and 1.5.7 were both security releases. In the case of 1.5.6 it was a critical issue and the release happened within a few hours of the report. In the case of 1.5.7 the vulnerabilities were not critical and thus the release was speeded up but it was not an emergency release. That allowed careful analysis and testing.

    Often, as in this case, security reports come in with proposed fixes that would be much more harmful to working sites than the risks associated with the vulnerability. When the risk is not critical we are able to do much more extensive and thorough testing of any fixes. As the reporters themselves say, they did not test their patch on any working sites and did not understand the implications of what they proposed. If they had simply suggested to users that they change the settings from the default to something more secure that would have been appropriate.

    end part 1

  30. avatar elin.waring makes this comment

    2008-10-24 13:29:16

    Part 2

    In general, a calm, careful and systematic approach to hypothetical vulnerabilities will always work best. We understand that sometimes people panic, which seems to be what happened here, but our processes are designed to put panic aside and proceed in an orderly fashion. The reporters know our processes and were aware that they were being followed in this instance. I am sure that they are happy we did not rush their patch since they realized after our review that their patch was potentially harmful to sites.

    Most people in the world of open source software think that Karl Fogel's book contains excellent advice about how to manage an open source project. I would strongly encourage everyone to read his advice about managing security issues.

    http://producingoss.com/en/publicity.html#security

    We follow those practices.

  31. avatar Alex makes this comment

    2008-10-24 14:09:07

    My humble opinion...

    First let's say I am not a developer so I have to congratulate the Joomla team for the hard work.

    But... I am a Joomla user and 3 of my Joomla sites have been hacked in three different ways in the last two weeks, all of them being updated (J 1.5.7).

    So for me, NO vulnerability is not high priority and I can not understand that 1.5.8 is not out with a fix as a vulnerability is known and a fix committed.

    Personnally, I can not blame anyone to point out a vulnerability and try to fix it AS SOON AS POSSIBLE.

    Both parties should maybe think twice...
    - the 3PD should have followed the rules and should not have made it public
    - the Joomla team should never consider a vulnerability a not high priority...

    I am personnally waiting for 1.5.8 to reinstall my websites being bored to be hacked.

    PS: All hacking were related to public registered on the site but with no rights...

  32. avatar amy.stephen makes this comment

    2008-10-24 17:30:51

    Alan Langford of the Joomla! Security Task Force and a member of the Development Working Group will follow up with Alex to help him provide specifics needed to evaluate the problem. Please report security concerns to the Joomla! Security Task Force http://developer.joomla.org/security/contact-the-team.html

    It would be my inclination to not publish Alex's comment and simply ask that he talk to the Security Team, but Anthony Ferrara has asked that we continue to publish all comments on this topic and allow people to speak their mind. Since there is no specific vulnerability mentioned, we will allow it.

  33. avatar Manoj Sterex makes this comment

    2008-10-24 17:53:17

    As far as Joomla's software licensing is concerned, its open source GPL. So anybody is free to modify/change/extend the Joomla code to adapt it and also "share" them. So, I see nothing wrong in what the 3rd party guys did.

    I'm surprised that the people in the core team shun people who work on the code. This is disappointing to any developer.

    At the least, instead of making a public post which by many ways is disrespectful, you could have simply settled this issue over emails and made an announcement that the recent vulnerability was not very critical and it would be fixed in the next release. If you were so concerned about your users, you should have posted a general warning (instead of targeting) to users against installing patches released by 3rd party guys.

    Bottom-line: Fix the issue instead of blaming someone for publicizing it. If the time and energy spent on flaming in this post was spent on fixing the security issue, I'm sure it would have been solved!

  34. avatar amy.stephen makes this comment

    2008-10-24 18:01:47

    For those concerned for their Web sites (or want to understand why such a strong response to scaring our community unnecessarily.)

    What Web sites are vulnerable?

    a) Those without text filtering activated;
    b) With unknown authors (who cannot be trusted);
    c) Where an author wants to intentionally cause harm;
    d) And knows how to so;
    e) And has access to the server.

    How can you protect yourself?

    Activate Text Filtering that has been available in core since Joomla! 1.5.2

    How do you do learn how to do this?

    a. Read the Help Screen for the Article Manager (search for text filter)

    b. Follow these instructions: http://docs.joomla.org/Security_filters_for_articles

    You do not need a patch or a new release

    Everything you need is available in the Article Configuration Utility

    What will be different in Joomla! 1.5.8?

    The default setting will enable filtering for new Web sites. (Of course, this can be changed, as desired.)

  35. avatar ron.severdia makes this comment

    2008-10-24 23:19:17

    http://community.joomla.org/team-blogs/communications-team/516-security-and-joomla.html

  36. avatar Chris makes this comment

    2008-10-25 05:18:58

    I'm a Drupal CMS site dev, and so far Joomla seems to be very different. From the plugins that are scattered everywhere on the net, often requiring registration, to the dificulty of contributing code. Security is a must, and no vulnerability is trivial.

  37. avatar Doug McCormick makes this comment

    2008-10-26 05:18:58

    It's my personal belief that the response to this issue is justified and rational.

    It's also my belief that the action that solicited this response was childish self promotion.

    fwiw

  38. avatar Website Creation Guides makes this comment

    2008-10-27 16:34:03

    Having found a vulnerability of any system the responsible thing to do is to immediately inform the responsible party. That is if you want to protect the people. If the motives are other than that, it is whole different story. Publicly exposing a hole puts in danger thousands of people that utilize the system. In regards to the matter, if the exposer is a member of the responsible party then it is plain stupid.It is like kicking yourself while at the same time backstabbing your own team.

  39. avatar efe makes this comment

    2008-10-29 03:31:35

    I had a joomla website running for testing purposes. It was hacked twice in the last 2 months. The last time the hacker filled the website with trojans ( fakealert and others ), so I deleted the all website.
    I thing you should redirect your rage to the hackers who are becoming "famous" for crashing joomla websites ... not to the guys helping to stop it.

  40. avatar murph0 makes this comment

    2008-10-30 17:14:29

    Holy over-reaction, batman. I suspect there may be more to this flare-up than meets the eye. But those personal details are hidden from the rest of us, so... Can we get back to work now?

Add Comment


    • >:o
    • :-[
    • :'(
    • :-(
    • :-D
    • :-*
    • :-)
    • :P
    • :\
    • 8-)
    • ;-)

     
    ©2005-2009 Open Source Matters, Inc. All rights reserved.    Joomla Hosting by Rochen Ltd.    Empowered by JXtended    Accessibility Statement    Privacy Policy    Log in