Upgrade immediately to Joomla! 1.0.11 - Security Fixes
Monday, 28 August 2006
| Article Index |
|---|
| Upgrade immediately to Joomla! 1.0.11 |
| Security Fixes |
| Security Advisory |
| New Visible Warnings |
| Extension Security |
| Instructions |
| Packages |
| Thanks |
| All Pages |
Page 2 of 8
Security Fixes
Joomla! 1.0.11 Contains twenty-six (26) fixes for High, Medium and Low Level Security Vunerabilities.
The majority of these vunerabilities affect all previous versions of Joomla!
04 HIGH Level Threats fixed
A1 Unvalidated Input
- Secured mosMail() against unvalidated input
- Secured JosIsValidEmail() - in previous versions the existance of an email address
somewhere in the string was sufficient
- Fixed remote execution issue in PEAR.php
- Fixed Zend Hash Del Key Or Index Vulnerability
04 MEDIUM Level Threats fixed
A1 Unvalidated Input- globals.php not included in administrator/index.php
- Added Missing defined( '_VALID_MOS' ) checks
- Limit Admin `Upload Image` from uploading below `/images/stories/` directory
- Fixed do_pdf command bypassing the user authentication
18 LOW Level Threats fixed
A1 Unvalidated Input- Hardened Admin `User Manager`
- Hardened poll module
- Fixed josSpoofValue function to ensure the hash is a string
- Secured com_content to not allow the tasks 'emailform' and 'emailsend'
if $mosConfig_hideEmail is set - Fixed emailform com_content task bypassing the user authentication
- Limit access to Admin `Popups` functionality
- Fixed XSS injection issue in Admin `Module Manager`
- Fixed XSS injection issue in Admin `Help`
- Fixed XSS injection issue in Search
- Harden loading of globals.php by using require() instead of include_once();
- Block potential misuse of $option variable
- Block against injection issue in Admin `Upload Image`
- Secured against possible injection attacks on ->load()
- Secured against injection attack on content submissions where frontpage
is selected - Secured against possible injection attack thru mosPageNav constructor
- Secured against possible injection attack thru saveOrder functions
- Add exploit blocking rules to htaccess
- Harden ACL from possible injection attacks
High Level Vulnerabilities
1.0.11 fixes 4 High Level security vulnerabilities that affect all previous versions of Joomla! 1.0.x series.
In fact there is a strong likelihood that most of these vunerabilities (including the Hig h Level ones) will also affect older versions of Mambo as well.
Therefore all Joomla! users are strongly advised to upgrade immediately to Joomla! 1.0.11