What do I have to do to get single sign on to work with Joomla?
If I sign into my Joomla website (not Joomla admin but the website), then I get a blank screen for phpgedview. If I don't, then phpgedview works fine but of course I have to sign into phpgedview.
Also - When I sign into phpgedview, if I go to a different page in my Joomla website, then come back, I have to sign into phpgedview again.
I'm new to Joomla as well as phpgedview so I'm sure this is a simple newbie problem.
You need an additional Joomla component. Go to http://joomlacode.org/gf/project/phpgedview/
Yes I've already got that installed, but what else do I need to do or set?
Nothing as far as PGV is concerned. You will need to ask about installation on their forum (at the bottom of the page on the link I gave above). I can't even tell you if it will work at all on PGV 4.2. Given the number of changes 4.2 has, its entirely possible it won't.
I'm using Joomla 1.5.9 with PGV 4.2 and they work well together. I'm using version 1.4 of the gedview joomla component located at http://joomlacode.org/gf/project/phpgedview/frs/?action=FrsReleaseBrowse&frs_package_id=462 Version 1.4.1 is now available.
The only thing I had to do was configure the gedview component and add the Secret key for communication between Joomla and phpGedView to PGV's config file.
Booma - There are a number of security implications with this module. I would advise against using it.
Out of interest, is your site public? Do you want to tell me the url and give me permission to "investigate" the security?
Greg - At the moment on my public site I'm using Joomla 1.5.7 with PGV 4.1.6, but I have a test site for the Joomla 1.5.9 with PGV 4.2 install. If you like to PM me I'll give you the details.
Having just looked at booma's site, I can confirm that the vulnerabilities are still present, and I would reiterate my advice against using it.
<<Having just looked at booma's site, I can confirm that the vulnerabilities are still present,
Would you care to elaborate on the vulnerabilities?
As I too use a Joomla portal and bridge...
<<Would you care to elaborate on the vulnerabilities?>>
A visitor to the site is easily able to gain admin access and from there install/run arbitrary code on your server.
I did tell the author of the module about the vulnerability back in May 2008....
Greg's absolutely right. Once I discovered the issue last year I completely changed the way I use Joomla. In my view there are only two safe ways to do it, and neither require the linking component.
1 - have no registration requirement in Joomla at all. Require login ONLY for PGV. I was able to do this on my site, once I accepted the fact that NONE of my relatives ever added anything to Joomla themselves, and 90% of my content I was happy to share with the world. I removed the other 10%. Anything I want to add to Joomla pages I do through the admin panel.
2 -The opposite of 1. Require login to Joomla for some features, but ONLY allow access to PGV for Joomla registered users. Make the PGV link visible to only those users. Then in PGV you can turn off all login requirements, making it fully open to your Joomla registered users.
The information that Greg was able to tell me about information on my site clearly demonstrated the security issue. I'm now setting up as per kiwi_pgv's option 1.
Kiwi - I like you're second option, requiring a login for Joomla and only letting registered users see the PGV link. Is there any issue with people stumbling onto the PGV directory since there's no password required for PGV with this method?
Thanks for your help.
I'm afraid I'm not the expert in that. If he has the time, I would recommend you set it up that way, and see if Greg would test your security. He understands the things hackers do to breach your defences :-)
(sorry greg, don't mean to overload you - but its a valuable test to do).
I think the answer should be 'no problem', but I'm hesitant to commit in an area I'm not sure of.
Another user has identified a different issue with my 2nd suggestion though. If your users don't need to login to PGV, then you lose the benefits of them having their own "My Portal" page, and all the benefits that go with PGV identifying them as a unique user. You wouldn't be able to use "Relationship Privacy" as effectively either.
As a final note - I would suggest that we limit this discussion here. Too much talk of such vulnerabilities is just likely to encourage hackers to try new things. Happy to talk off-line with anyone concerned.
I've given this matter a little more thought. With security vulnerabilities, it is conventional to advise the application maintainer before announcing the details to the security community. This gives the author some time to provide a patch or work-around.
The author was notified last year.
I have therefore reported the details to the secunia mailing list. Details will appear on their website shortly.
You may recall that phpGedView 4.1.5 was an urgent security release. This module reintroduces the vulnerable code from 4.1.4. It allows a remote attacker to install and run arbitrary code on your server.
I most strongly advise you to uninstall this module, and use separate logins for both Joomla and phpGedView.
Greg and Kiwi - really appreciate the help and attention to this.
Are you sure it's present with Joomla 1.5.9 and 1.4.1 of the plugin?
I can't seem to find the entry on the secunia database, what's the secunia advisory number?
Maybe they decided it wasn't a suitably "major" piece of software?
The vulnerability is that the interface relies on keeping a "secret key" variable secret, when there are many ways in which it can be exposed. With this key, a visitor can log in as any user, including a site administrator.
Well, that could be it of course, but if I look for joomla vulnerabilities (and yes I looked through most of them), there are a lot of other components there.
Ken, the issue has been tested and proven to be a problem with at least Joomla 1.5.9 / component 1.4 / PGV 4.2, as stated above here.
The 1.4.1 update to the component did nothing to change the fundamental approach used, so use it at your own risk, and the risk of your (and your families privacy). According to the release notes the only change in 1.4.1 was "Restored functionality needed for Search plugin available in Joomla! 1.0.x"
Component version 1.4.2 is released, that handles the key in a more confidential way, so it should not be available to unauthorized persons anymore.
Hi Is there any one still following this thread and possibly who can help me?
I wanted to:
1. Joomla 1.6/1.7 and Phpgedview or webtrees
2. Registration is only on invitation
3. Single sign on
4. Joomla Group =families
5. permission based access to PGV/Webtrees
6.limit the PGV/webtrees access to certain level i.e one FAMILY(Joomla Group XYZ typically the group name will be family name ) member can view other FAMILY (Joomla Group PQR again typically the group name will be family name) member only if they belong to some other joomla group ex: "Looking for Marriage Alliance" where the member requests for details and the user "approves" the request on approval the requester will be able to see the family details .
How to do this can any one guide me or give me a write up please
or if possible connect to me on gchat sapguroo
correction joomla group=family