Joomla! 1.0.13 Released

Created on Monday, 23 July 2007 11:00

Joomla! 1.0.13 [ Sunglow ] is now available for download.

Joomla! 1.0.13 features:

  • Several low-risk security fixes
  • Improved password storage system
  • Easier control over Register Globals Emulation
  • An Itemid backwards compatibility setting
  • Improved administrative session security
  • Improved HTTP/HTTPS switchover support

Because Joomla! 1.0.13 is a security release, it is important that you upgrade but we strongly recommend that you take extra precautions when performing this upgrade. This release features several improvements to the password storage system designed to help protect the future security of your Joomla! powered website.  These changes will cause compatibility issues with some 3rd Party Extensions, especially bridges.  If your Joomla! site utilizes bridges to other applications orextensions that have their own login system such as Community Builder,Virtuemart, or others you should not upgrade your site until thoseextensions have also been updated.

 

The changes to the password storage system should be transparent to your Joomla! site's users.  As users login for the first time after your site has been upgraded, their passwords will automatically be converted from the old password storage system to the new system.  Because of this automatic conversion of passwords, it is important that you backup your entire database before performing this upgrade.  Once the process of converting passwords has started, it cannot be reversed. 

Release Information 

1.0.13 is available as a full package,which contains all Joomla! files or as patch packages which contain onlythe files that have changed since previous Joomla! 1.0.x version.

Improved Password Storage System

Encryption and hashing technologies are constantly evolving as new processes become known and more time and energy is invested in breaking old systems.  The unforunate result of this continuous evolution is that the md5 hashing system is showing its age and has become easier to break with the introduction and rapid development of high-quality rainbow tables.  To combat this problem, Joomla! 1.0.13 now features salted hashes which will automatically pad a password string with 16 randomly generated characters to make the hash exponentially more difficult to reverse-engineer or guess.  As users login to your Joomla! powered website, their passwords will be automatically converted from the old password storage system, to the new system.  The transition should be completely transparent to both you and your users.  However, there is no way to reverse this process so it is important that you take all precautions when performing this upgrade and make sure you have a complete database backup before beginning.

Easier Control over Register Globals Emulation

Joomla! has always featured the ability to emulate PHP's register globals setting.  However, controlling this feature has always been one of the more difficult aspects of configuring your Joomla! installation because it required manually editing a core file.  For Joomla! 1.0.13, all that is history.  Joomla!'s register globals emulating controls have been moved into the Global Configuration settings to allow for fast and easy control over this feature.  The advantages of this change are two-fold: 1) it will be easier to secure your Joomla! powered website and 2)disabling register globals emulation will help you identify someextensions that will not work in Joomla! 1.5.

Itemid Backwards Compatibility Setting 

With the release of Joomla! 1.0.12 came a few changes to the behavior of Joomla! infamous Itemid system.  Many people were dissatisfied with the changes and insisted on reverting their Joomla! powered websites back to the previous behavior.  To address this problem, Joomla! 1.0.13 now features an Itemid compatibility setting that can be found in the Global Configuration manager.  The setting allows you to choose between the Itemid behavior in Joomla! 1.0.12 and the Itemid behavior found in Joomla! 1.0.11 and prior.   

Improved Administrative Session Security

To address a potential issue known as "session fixation" attacks, we have implemented some small changes into Joomla! 1.0.13 to improve the security of administrative sessions.  Administrative sessions will now be destroyed and recreated with each request in order to prevent session fixation and session hijacking attacks.

SSL Switchover Support 

Joomla! 1.0.13 has address a few lingering bugs in the HTTP/HTTPS switchover support reintroduced in Joomla! 1.0.12.  SSL switchover support should now work fluidly with seemless transitions between encrypted and unecrypted pages.