Joomla! 1.0.11 [ Sunbow ] is now available as of Monday 28th August 2006 24:00 UTC for download here and is being designated a critical security release.
All existing Joomla! users must upgrade to this version, due to several High Level vulnerabilities that affect all previous versions of Joomla!
We have always been fully committed to a security first principle and new initiatives have and will continue to be started to reinforce and continue this principle. Joomla! 1.0.11 highlights a redoubled effort to put security at the forefront of everyones lexicon.
Like any and all software, security is a continually evolving and constant battle between application developers and hackers. The increased security threats discovered in the Joomla!Universe indicate nothing more than an increasing usage of Joomla! throughout the world and thus an increasing interest from hackers.
It does however serve to remind everyone, both application developers and application users that security is an eternal vigil and one cannot rest.
1.0.11 contains the following critical security fixes:
- 04 High Level Security Fixes
- 04 Medium Level Security Fixes
- 18 Low Level security
- 25 General bug fixes
If you are using ANY previous version of Joomla!, you need to upgrade to 1.0.11 as soon as possible.
Joomla! 1.0.11 Contains twenty-six (26) fixes for High, Medium and Low Level Security Vulnerabilities.
The majority of these vulnerabilities affect all previous versions of Joomla!
04 HIGH Level Threats fixed
A1 Unvalidated Input
- Secured mosMail() against unvalidated input
- Secured JosIsValidEmail() - in previous versions the existence of an email address somewhere in the string was sufficient
A6 Injection Flaws
- Fixed remote execution issue in PEAR.php
- Fixed Zend Hash Del Key Or Index Vulnerability
04 MEDIUM Level Threats fixed
A1 Unvalidated Input
- globals.php not included in administrator/index.php
A2 Broken Access Control
- Added Missing defined( '_VALID_MOS' ) checks
- Limit Admin `Upload Image` from uploading below `/images/stories/` directory
- Fixed do_pdf command bypassing the user authentication
18 LOW Level Threats fixed
A1 Unvalidated Input
- Hardened Admin `User Manager`
- Hardened poll module
- Fixed josSpoofValue function to ensure the hash is a string
A2 Broken Access Control
- Secured com_content to not allow the tasks 'emailform' and 'emailsend' if $mosConfig_hideEmail is set
- Fixed emailform com_content task bypassing the user authentication
- Limit access to Admin `Popups` functionality
A4 Cross Site Scripting
- Fixed XSS injection issue in Admin `Module Manager`
- Fixed XSS injection issue in Admin `Help`
- Fixed XSS injection issue in Search
A6 Injection Flaws
- Harden loading of globals.php by using require() instead of include_once();
- Block potential misuse of $option variable
- Block against injection issue in Admin `Upload Image`
- Secured against possible injection attacks on ->load()
- Secured against injection attack on content submissions where frontpage is selected
- Secured against possible injection attack thru mosPageNav constructor
- Secured against possible injection attack thru saveOrder functions
- Add exploit blocking rules to htaccess
- Harden ACL from possible injection attacks
High Level Vulnerabilities
1.0.11 fixes 4 High Level security vulnerabilities that affect all previous versions of Joomla! 1.0.x series. In fact there is a strong likelihood that most of these vulnerabilities (including the High Level ones) will also affect older versions of Mambo as well.
Therefore all Joomla! users are strongly advised to upgrade immediately to Joomla! 1.0.11
In the last few weeks, Joomla! sites have garnered increased attention from the hacking community. This has led to the discovery of several security vulnerabilities in the Joomla! 1.0.x core (which have been addressed by this 1.0.11 release) and 3rd Party extensions.
Therefore it is of prime importance that security be at the top of your priorities. To that end you are strongly encouraged to read through the Security Checklist - put together by Security Forum Moderator (rliskey):
One easy way to block the majority of current exploit attempts is to utilise the .htaccess rules - put together by our Quality & Testing Techincal Lead (RobS):
These extra .htaccess rules are now part of the Joomla! core as of this 1.0.11 release in the file htaccess.txt.
However if you are upgrading your site, then you will need to manually insert the rules to your .htaccess file yourselves.
This additions to the .htaccess file will help in protecting vulnerable third-party extensions against such attacks.
You are strongly encouraged to implement these into all your existing and future Joomla! sites.
There are two particular PHP settings which help increase dramatically the security of your site, specially if software contains yet unknown vulnerabilities. As a matter of fact, sites with these settings set correctly have been saved from most last attacks to 3PD extensions:
- Register Globals
- Magic Quotes
You need to ensure that these two settings are set to:
- Register Globals = `OFF`
- Magic Quotes = `ON`
for your system.
To check the value of these settings, go to the System Info page in your Backend end Administrator area (System -> System Info).
There is also one Joomla! Core setting that can pose a potential security threat:
- Register Globals Emulation (RG_Emulation)
Your system is safest when this setting is set to `OFF`.
However, by default Joomla! 1.0.x releases have this setting set to `ON`, as in previous releases. This is because a number of 3rd party extensions are not yet written to work with this setting set to `OFF` and will not function properly. Therefore it has been decided to keep it `ON` by default in Joomla! 1.0.11, to avoid incompatibilities during this highly recommended Joomla! critical core update, and allow you to update safely Joomla! before reviewing your extensions compatibility and setting this parameter to OFF when appropriate for your site.
However, we suggest that you test to see if your site and its extensions will continue to work properly with this setting set to `OFF` as your site will be far more secure when run in this environment.
You can find a discussion thread here about extensions which do not work correctly when this setting is set to `OFF`, and listing updates and ways to fix these extensions so they will work correctly in this environment.
In Joomla! 1.5, `Register Globals Emulation` will be set to `OFF by default`.
To change this setting to `OFF`, you need to edit your globals.php file (found in your sites root directory) and look for the line:
define( 'RG_EMULATION', 1 );
And change the setting to:
define( 'RG_EMULATION', 0 );
To help ensure your site is running at the minimum level of acceptable security, two new visible warning have been added to the Admin Backend area.
* It is important to note that these two new features to the 1.0.x series do not guarantee that your site is 100% fully secure. Only that you are operating at the minimum level of security.*
A new security warning will appear in the backend main page if your system is NOT running under the following recommended state:
- PHP magic_quotes_gpc setting is `ON`
- PHP register_globals setting is `OFF`
- Joomla! RG_EMULATION setting is `OFF`
The warning message will appear in Backend Admin area `homepage`, `Global Configuration page` and the `System Information page`
Joomla! Version Warning
After your version of Joomla! is more than 30 days old a warning will appear in you Backend Admin area `homepage`, indicating the age of the version you are using and link to where you can check for information about the latest version of Joomla!.
Further in the `Global Configuration page` and the `System Information page` this warning will always be visible.
This warning is intended as a visible reminder to ensure you are using the newest/latest version of Joomla! at all times.
We strongly encourage you (if not already done so) to register yourself on forum.joomla.org and to subscribe on the announcements thread to get notified by important security releases (you need to be a registered member of the forums to receive notifications). We also encourage you to do same for all third-party extensions you use, where available.
Third-party site Extensions
It is essential that you take a moment after updating the core to check if your extensions are up to date, and update them if a newer version is available.
Often newer versions address not only bugs but security as well. You can do this by showing in the components, modules and mambots installer pages, which display a URL to the homepage of the authors, or by checking on extensions.joomla.org.
Extensions Security Warning Center
A large number of Joomla! extensions have come under the scrutiny of hackers and vulnerabilities exposed within them. To that end a new Security Forum for 3rd Party Extensions has been created:
Also a new official list of 3rd Party Extensions with known Vulnerabilities has been created to assist the community.
You are strongly advised to subscribe to the list (or visit it regularly) to ensure you are kept up-to-date on security vulnerabilities in 3rd Party extensions.
All extension developers are strongly urged to read the new Developer Security Guide to ensure they are matching best/industry practices in how to code securely for Joomla! - put together by Development Working Group Member friesengeist:
They are also urged to monitor the new Security Forum for 3rd Party Extensions, to ensure that keep track of new security threat reports.
Developers are also highly advised to track the development progress of Project Joomla! via the Developer Blogs, which are the primary method that the Official Joomla! Developers communicate with the external Development community.
New to Joomla! or starting a new site
Are you a new Joomla! user? Confused as to which of the 30 available packages to download?
The answer is simple. If you are creating a site for the first time, you will need the Full Package file:
- 1.0.11 Stable Full Package
The other packages are for those users who have already have an existing Joomla! site and wish to upgrade to the latest version.
Upgrading from any version of Joomla! 1.0.x to 1.0.11, simply involves overwriting your current sites files, with the files in the proper Patch Package that applies to your site.
So if you are running Joomla! 1.0.9, you will need the 1.0.9 to 1.0.11 Patch Package.
This can be done by either uncompressing the Patch Package and then using an FTP client to transfer these files to your server and overwriting existing file. If you find errors after the process, ensure that all files were properly transferred. There have been verified reports of some FTP clients not properly transferring files across to a server - without notifying the user of such a problem. One possible cause is that under certain circumstances the web server locks the files it is using, and the ftp-server can't update those files. One possibility is to take the site shortly offline during the FTP transfer.
If your Web Provider gives you access to your site via some sort of Web Admin panel like CPanel or Plesk, you can use the system's file manager to upload the Patch Package file to your server and then extracting the package file and overwriting all the files on your server.
More information can be found on the Forums and if at any stage you are unsure, then search the forums for posts on the subject. Most will be found in the Upgrading Forum.
For those converting from Mambo 4.5.2.x or Mambo 4.5.3 please read these Migration instructions.
You will to need to download the Joomla 1.0.11 Full package.
Before undertaking an Upgrade or Conversion, it is extremely important that you backup your site Database and if possible, also you site files. While we try to ensure that an Upgrade or Conversion process is relatively straightforward, we cannot guarantee that this will always be the case for every user. So it is imperative that users take protective measures in case they face problems after the Upgrade or Conversion.
To ensure the integrity of the files you are downloading, you are advised only to download from the 'Official Source' on the Official Joomla! Forge. As an extra security measure we now make available the MD5 checksum values of the respective package files, to allow people to do integrity checking.
1.0.11 is available as a Full Package, which contains all Joomla! files and Patch Packages which contain only the files that have been changed by the Stability work conducted from previous Joomla! 1.0.x versions.
Joomla! 1.0.11 comes as a Full Package:
- 1.0.11 Stable Full Package
and Patch Packages:
- 1.0.0 to 1.0.11 Patch
- 1.0.1 to 1.0.11 Patch
- 1.0.2 to 1.0.11 Patch
- 1.0.3 to 1.0.11 Patch
- 1.0.4 to 1.0.11 Patch
- 1.0.5 to 1.0.11 Patch
- 1.0.6 to 1.0.11 Patch
- 1.0.7 to 1.0.11 Patch
- 1.0.8 to 1.0.11 Patch
- 1.0.9 to 1.0.11 Patch
- 1.0.10 to 1.0.11 Patch
It also comes packaged in 3 different compression formats
A project like Joomla! and releases like this cannot happen without the coordinated effort of a vast a varied family spread throughout the world. A family of selfless volunteers and well meaning people whose only reward is knowing that they might be helping others. It is one of the aspects of the this project that continues to amaze, inspire and revitalize all of us who are more formally involved with the project.
So to the faceless and nameless hundreds who have contributed in even the smallest way to this project and this release in particular - THANK YOU.
Your name might not be in the changelog and you might not have a shiny title on the forums, but know that the time you take to report a possible bug and propose a fix will and does help countless thousands throughout the world. You are more than 'Paying It Forward'.
To all those who assisted even more intimately (you know who you are) your contribution is more than simply appreciated, it is applauded - 'lets all keep the Rythmn & Beat going, and keep the music flowing` ;)
Rey Gigataras [stingrey]
Security & Stability