1. Important notice about Cloudbleed - if your site uses the Cloudflare CDN, and you intend to follow the Joomla security team's advice to change your site "secret", you MUST READ THIS NOTICE.

Cloudbleed and Fabrik

Discussion in 'Important Announcements' started by cheesegrits, Feb 27, 2017.

  1. cheesegrits

    cheesegrits Support Gopher Staff Member

    Level: Supporter
    As many of you are no doubt aware, a serious security issue was recently announced concerning Cloudflare, a popular CDN which many Joomla sites use. The Joomla security team has released this announcement and advice:

    https://community.joomla.org/blogs/community/3101-cloudflare-data-leak-and-joomla.html

    ... which recommends that sites using Cloudflare change their Joomla "secret".

    Two IMPORTANT NOTES for Fabrik users to be aware of if you change your Joomla "secret" are that ...

    a) You will need to update your main "site database" connection

    b) If you are using the "Encrypt data" feature (under the "Access" tab of the element settings) for any of your elements, YOU MUST MANUALLY RE-ENCRYPT YOUR DATA using the new key, otherwise your data will be un-encryptable. Note that this option is not enabled by default, so this only applies if you have specifically chosen that option.

    To do this, you will need to:

    1) BACKUP YOUR DATABASE!!! If you don't already use Akeeba for doing this, install it and backup your site.

    2) Change your J! secret as per the announcement referenced above. Make a note of your old key, so you can use it in step 4.

    3) Update your site connection in Fabrik:

    1. Go to the Fabrik Connections page
    2. Test your site connection. If it fails, continue with the next steps.
    3. Open the site database entry
    4. Re-enter your password (in both places)
    5. Click Save & Close
    6. Re-test your site connection

    4) Using phpMyAdmin (or whatever database utility you use), for each element you have selected encryption for (remember, you only need to do this if you specifically set the "Encrypt data" option) run a command like this:

    Code (Text):
    UPDATE yourtable SET yourelement = AES_ENCRYPT(AES_DECRYPT(yourelement, 'your old secret'), 'your new secret')
    So if your element's full name is 'customers___tax_id', your old secret is 'ndrk6uB9lpRkwoFd' and your new secret is 'jfue9AjI73jXfhGs', the command would be ...

    Code (Text):
    UPDATE customers SET tax_id = AES_ENCRYPT(AES_DECRYPT(tax_id, 'ndrk6uB9lpRkwoFd'), 'jfue9AjI73jXfhGs')
    5) For each element you re-encrypt, load its list/form in Fabrik, and make sure the data is readable.

    If you have any issues with any of this, please post in the forums and we will be glad to help.

    And finally - make sure you read step 1. BACK UP YOUR DATABASE before doing anything!

    -- hugh
     
    Last edited: Feb 27, 2017
    JackGoa and jfquestiaux like this.
  2. cheesegrits

    cheesegrits Support Gopher Staff Member

    Level: Supporter
    If you are reading this announcement having already reset your secret, and are panicking because your encrypted data is gone, as long as you know what you old secret was (which you should have in a backup somewhere), you can perform the re-encryption at any time.

    The only problem will be if you have added new encrypted data since you changed your secret, which doesn't need to be re-encrypted. The way around that would be to establish what the primary key (usually the 'id' field) value was at the point you changed the secret for each table you need to update, and exclude those from your update query, by adding a where clause like "WHERE id < 1234".

    -- hugh
     
    Last edited: Feb 27, 2017

Share This Page