Joomla Security News

Home

Below you will find the latest security news from Joomla.org's J.S.S.T. (Joomla Security Strike Team). It is imperitive for the security of your website and that of the server that you maintain your Joomla installation up to date with the latest release. If you require assistance in upgrading your website we are available to do this for you for the modest fee of $25. Simply contact us with the request and your login details and we will quickly perform the upgrade.

Joomla! Developer - Vulnerability News

Not only is Joomla! easy to use, but it is easy to add extra functionality through a flexible and powerful developer framework. The Joomla! Framework allows you to build exceptional extensions for Joomla! including components, modules, plugins, templates and language packs.

— [20091103] - Core - Front-End Editor Issue

(Tuesday, 03 November 2009 11:31)
- Project: Joomla!
- SubProject: com_content
- Severity: Moderate
- Versions: 1.5.14 and all previous 1.5 releases
- Exploit type: Front-End Editing
- Reported Date: 2009-September-05
- Fixed Date: 2009-November-03
Description

When logged into the front end with Author access, it was possible to replace an article written by another user.

Affected Installs

All 1.5.x installs prior to and including 1.5.14 are affected.

Solution

Upgrade to latest Joomla! version (1.5.15 or newer).

Reported by Hannes Papenberg

Contact

The JSST at the Joomla! Security Center.
— [20091103] - Core - XML File Read Issue

(Sunday, 01 November 2009 20:03)
- Project: Joomla!
- SubProject: All
- Severity: Low
- Versions: 1.5.14 and all previous 1.5 releases
- Exploit type: Extension Version Disclosure
- Reported Date: 2009-October-13
- Fixed Date: 2009-Nov-03
Description

It is possible to read the contents of an extension's XML file and find the version number of the installed extension. This could allow people to exploit a known security flaws for a specific version of an extension.

Affected Installs

All 1.5.x installs prior to and including 1.5.14 are affected.

Solution

Turn on Apache mod_rewrite and configure your .htaccess file to filter out XML files. In the htaccess.txt file shipped with version 1.5.15, lines 35-39 contain example code that will...
— [20090722] - Core - Missing JEXEC Check

(Wednesday, 22 July 2009 19:36)
- Project: Joomla!
- SubProject: Framework
- Severity: Moderate
- Versions: 1.5.12 and all previous 1.5 releases
- Exploit type: Path Disclosure
- Reported Date: 2009-July-21
- Fixed Date: 2009-July-22
Description

Some files were missing the check for JEXEC. These scripts will then expose internal path information of the host.

Affected Installs

All 1.5.x installs prior to and including 1.5.12 are affected.

Solution

Upgrade to latest Joomla! version (1.5.13 or newer).

Reported by Juan Galiana Lara (Internet Security Auditors)

Contact

The JSST at the Joomla! Security Center.
— [20090723] - Core - com_mailto Timeout Issue

(Wednesday, 22 July 2009 19:36)
- Project: Joomla!
- SubProject: com_mailto
- Severity: Low
- Versions: 1.5.13 and all previous 1.5 releases
- Exploit type: Email
- Reported Date: 2009-July-28
- Fixed Date: 2009-July-30
Description

In com_mailto, it was possible to bypass timeout protection against sending automated emails.

Affected Installs

All 1.5.x installs prior to and including 1.5.13 are affected.

Solution

Upgrade to latest Joomla! version (1.5.14 or newer).

Reported by WHK and Gergő Erdősi

Contact

The JSST at the Joomla! Security Center.
— [20090722] - Core - File Upload

(Wednesday, 22 July 2009 19:17)
- Project: Joomla!
- SubProject: TinyMCE editor
- Severity: Critical
- Versions: 1.5.12
- Exploit type: Image File upload
- Reported Date: 2009-July-22
- Fixed Date: 2009-July-22
Description

Tiny browser included with TinyMCE 3.0 editor allowed files to be uploaded and removed without logging in.

Affected Installs

Version 1.5.12 only

Solution

Upgrade to latest Joomla! version (1.5.13 or newer).

Reported by Patrice Lazareff.

Contact

The JSST at the Joomla! Security Center.