Joomla! 1.0.11 Contains twenty-six (26) fixes for High, Medium and Low Level Security Vunerabilities.
The majority of these vunerabilities affect all previous versions of Joomla!
04 HIGH Level Threats fixedA1 Unvalidated Input
- Secured mosMail() against unvalidated input
- Secured JosIsValidEmail() - in previous versions the existance of an email address
somewhere in the string was sufficient
- Fixed remote execution issue in PEAR.php
- Fixed Zend Hash Del Key Or Index Vulnerability
04 MEDIUM Level Threats fixedA1 Unvalidated Input
- globals.php not included in administrator/index.php
- Added Missing defined( '_VALID_MOS' ) checks
- Limit Admin `Upload Image` from uploading below `/images/stories/` directory
- Fixed do_pdf command bypassing the user authentication
18 LOW Level Threats fixedA1 Unvalidated Input
- Hardened Admin `User Manager`
- Hardened poll module
- Fixed josSpoofValue function to ensure the hash is a string
- Secured com_content to not allow the tasks 'emailform' and 'emailsend'
if $mosConfig_hideEmail is set
- Fixed emailform com_content task bypassing the user authentication
- Limit access to Admin `Popups` functionality
- Fixed XSS injection issue in Admin `Module Manager`
- Fixed XSS injection issue in Admin `Help`
- Fixed XSS injection issue in Search
- Harden loading of globals.php by using require() instead of include_once();
- Block potential misuse of $option variable
- Block against injection issue in Admin `Upload Image`
- Secured against possible injection attacks on ->load()
- Secured against injection attack on content submissions where frontpage
- Secured against possible injection attack thru mosPageNav constructor
- Secured against possible injection attack thru saveOrder functions
- Add exploit blocking rules to htaccess
- Harden ACL from possible injection attacks
High Level Vulnerabilities
1.0.11 fixes 4 High Level security vulnerabilities that affect all previous versions of Joomla! 1.0.x series.
In fact there is a strong likelihood that most of these vunerabilities (including the Hig h Level ones) will also affect older versions of Mambo as well.
Therefore all Joomla! users are strongly advised to upgrade immediately to Joomla! 1.0.11