Upgrade immediately to Joomla! 1.0.11

Created on Monday, 28 August 2006 12:00


 

Security Fixes

Joomla! 1.0.11 Contains twenty-six (26) fixes for High, Medium and Low Level Security Vunerabilities.  

The majority of these vunerabilities affect all previous versions of Joomla!

04 HIGH Level Threats fixed

A1 Unvalidated Input
  • Secured mosMail() against unvalidated input
  • Secured JosIsValidEmail() - in previous versions the existance of an email address
    somewhere in the string was sufficient
A6 Injection Flaws
  • Fixed remote execution issue in PEAR.php
  • Fixed Zend Hash Del Key Or Index Vulnerability

04 MEDIUM Level Threats fixed

A1 Unvalidated Input
  • globals.php not included in administrator/index.php
A2 Broken Access Control
  • Added Missing defined( '_VALID_MOS' ) checks
  • Limit Admin `Upload Image` from uploading below `/images/stories/` directory
  • Fixed do_pdf command bypassing the user authentication

18 LOW Level Threats fixed

A1 Unvalidated Input
  • Hardened Admin `User Manager`
  • Hardened poll module
  • Fixed josSpoofValue function to ensure the hash is a string
A2 Broken Access Control
  • Secured com_content to not allow the tasks 'emailform' and 'emailsend'
    if $mosConfig_hideEmail is set
  • Fixed emailform com_content task bypassing the user authentication
  • Limit access to Admin `Popups` functionality
A4 Cross Site Scripting
  • Fixed XSS injection issue in Admin `Module Manager`
  • Fixed XSS injection issue in Admin `Help`
  • Fixed XSS injection issue in Search
A6 Injection Flaws
  • Harden loading of globals.php by using require() instead of include_once();
  • Block potential misuse of $option variable
  • Block against injection issue in Admin `Upload Image`
  • Secured against possible injection attacks on ->load()
  • Secured against injection attack on content submissions where frontpage
    is selected
  • Secured against possible injection attack thru mosPageNav constructor
  • Secured against possible injection attack thru saveOrder functions
  • Add exploit blocking rules to htaccess
  • Harden ACL from possible injection attacks

High Level Vulnerabilities

1.0.11 fixes 4 High Level security vulnerabilities that affect all previous versions of Joomla! 1.0.x series. 
In fact there is a strong likelihood that most of these vunerabilities (including the Hig h Level ones) will also affect older versions of Mambo as well.

Therefore all Joomla! users are strongly advised to upgrade immediately to Joomla! 1.0.11