Joomla! 1.0.8 [ Sunshade ] is now available as of Sunday 26th February 2006 07:00 UTC for download here.
We Highly Recommend that you upgrade to this version.
1.0.8 contains the following work:
- 37 Security Fixes
- 70+ General bug fixes
- Several Performance enhancements
1.0.8 is available as a Full Package, which contains all Joomla! files and Patch Packages which contain only the files that have been changed by the Stability work conducted.
Upgrading from any version of Joomla! 1.0.x to 1.0.8, simply involves overwriting your current sites files, with the files in the proper Patch Package that applies to your site. So if you are running Joomla! 1.0.5, you will need the 1.0.5 to 1.0.8 Patch Package.
This can be done by either uncompressing the Patch Package and then using an FTP client to transfer these files to your server and overwriting existing file. If you find errors after the process, ensure that all files were properly transferred. There have been verified reports of some FTP clients not properly transferring files across to a server - without notifying the user of such a problem.
If your Web Provider gives you access to your site via some sort of Web Admin panel like CPanel or Plesk, you can use the system's file manager to upload the Patch Package file to your server and then extracting the package file and overwriting all the files on your server.
More information can be found on the Forums and if at any stage you are unsure, then search the forums for posts on the subject. Most will be found in the Upgrading Forum.
Before undertaking an Upgrade or Conversion, it is extremely important that you backup your site Database and if possible, also you site files. While we try to ensure that an Upgrade or Conversion process is relatively straightforward, we cannot guarantee that this will always be the case for every user. So it is imperative that users take protective measures in case they face problems after the Upgrade or Conversion.
To ensure the integrity of the files you are downloading, you are advised only to download from the 'Official Source' on the Official Joomla! Forge. As an extra security measure we now make available the MD5 checksum values of the respective package files, to allow people to do integrity checking.
Joomla! 1.0.8 comes as a Full Package:
and Patch Packages:
It also comes packaged in 3 different compression formats
Shortly after the public release of Joomla! 1.0.7, a public discussion on the Joomla! forums reported that Poll data was visible or accessible despite being Unpublished - it was also mentioned that other unpublished core data may also be visible.
A quick check of Joomla! 1.0.7 by the Stability Team verified the vulnerability within the core Poll Component and also within other Core Components.
To properly investigate the matter and to ensure there weren’t other similar vulnerabilities within the Joomla! core code base a Security Audit was instituted.
As part of our moved towards increased transparency of `Core Operations` this Security Audit Report is being made available to the public in PDF format.
The results of this audit make up a large bulk (30+) of the Security Fixes contained in 1.0.8
All Joomla! users are urged to read the report so they are aware of the nature of the vulnerabilities discovered and can understand why it is important to upgrade to 1.0.8.
3rd Party addon developers Must read the report to ensure they institute internal testing of their products, to ensure a similar vulnerability does not exist within their applications.
It is also our intention to conduct similar focused audits on the Joomla! codebase in the future.
In fact we are currently working on another Security Audit conducted by Mathijs de Jong - one of our Quality & Testing Working Group members - currently restricted to internal viewing.
Once all issues in these Security Audits are resolved the reports will be made available to the community.
Joomla! 1.0.8 Contains thirty-seven (37) fixes for Security Vulnerabilities. 14 Medium Level threats and 23 Low Level threats
Medium Level Threat Fixes
- A3 - Hardening of Remember Me login functionality
- A7 - Protect against real server path disclosure via syndication component
- A1 - Limit arbitrary file creation via syndication component
- A7 - Protect against real server path disclosure in mod_templatechooser
- A9 - Inputfilter vulnerable to DOS attacks
- A2 - Disallow `Weblink` item from being accessible when 'unpublished'
- A2 - Disallow `Polls` item from being accessible when 'unpublished'
- A2 - Disallow `Newfeeds` item from being accessible when category 'unpublished'
- A2 - Disallow `Weblinks` item from being accessible when category 'unpublished'
- A2 - Disallow `Content` item from being accessible despite section/category 'access level'
- A2 - Disallow `Newsfeed` item from being accessible despite category 'access level'
- A2 - Disallow `Weblink` item from being accessible despite category 'access level'
- A2 - Disallow `Content` item from being visible despite category 'access level'
- A2 - `Blog - Content Section` & `Blog - Content Section Archive`
- A2 - Disallow `Content` items from being viewable when category/section 'unpublished'
Low Level Threat Fixes
- A3 - Harden frontend Session ID
- A6 - Harden against multiple Admin SQL Injection Vulnerabilities
- A1 - Disable ability to enter more than one email address in Contact Component contact form
- A1 - Harden Contact Component with param option to check for existence of session cookie
- enabled by default
- A3 - Additional check for correct Admin session name
- A2 - Disallow access to syndication functionality
- A2 - Disallow `Newsfeeds` Categories from being accessible when 'unpublished'
- A2 - Disallow `Contact` Categories from being accessible when 'unpublished'
- A2 - Disallow `Weblink` Categories from being accessible when 'unpublished'
- A2 - Disallow `Content Section` from being accessible when section 'unpublished'
- `List - Content Section`
- A2 - Disallow `Content Category` from being accessible when category/section 'unpublished'
- `Table - Content Category`
- A2 - Disallow `Contact` Categories from being accessible as per category 'access level'
- A2 - Disallow `Newsfeeds` Categories from being accessible as per category 'access level'
- A2 - Disallow `Weblinks` Categories from being accessible as per category 'access level'
- A2 - Disallow `Content Section` from being accessible as per section 'access level'
- `List - Content Section`
- A2 - Disallow `Content Category` from being accessible as per section/category 'access level'
- `Table - Content Category`
- A2 - Disallow `Content Category` from being accessible as per category 'access level'
- `Blog - Content Category` & `Blog - Content Category Archive`
- A2 - Disallow `Content` item links from being visible as per category/section 'access level'
- mod_newsflash, mod_latestnews, mod_mostread
OWASP Vulnerability Categorization
As part of our improved focus on security, we are adopting the Open Web Application Security Project (OWASP) Top Ten Vulnerability categorization system, to standardize the categorization of security vulnerability reports. The legend of the vulnerability categories for the vulnerabilities above are listed below ( full list here ):
- A1 - Unvalidated Input
- A2 - Broken Access Control
- A3 - Broken Authentication and Session Management
- A6 - Injection Flaws
- A7 - Improper Error Handling
- A9 - Denial of Service
Joomla! 1.0.3 Critical Vulnerability
From postings on the forum, it is clear that some Joomla! users are still operating sites with Joomla! 1.0.3
If you are running 1.0.3 and below you MUST upgrade to at Least 1.0.4
1.0.3 and below contains a Critical Security Vulnerability (our highest security warning), which can lead to unauthorized users gaining access to your site. There have been numerous reports of sites being attacked through this vulnerability and Hackers are specifically targeting and testing Joomla! sites for this vulnerability. If you are upgrading we would advise you to upgrade directly to Joomla! 1.0.8
Recent Mambo Threats
There have been two (2) security vulnerabilities reported in Mambo that have caused some concern to Joomla! users. One is an F-Secure Report, the other a Gulftech Report.
Our internal testing and contacts with the security bodies (who discovered the vulnerabilities) have shown that Joomla! is NOT vulnerable to either of these two threats.
This has been discussed here:
- Linux Worm targeting Mambo, is about an already fixed one year old vulnerability
- Joomla! 1.0.x is not affected by recent Mambo Vulnerability
1.0.8 contains several query performance improvements that should lead to slightly better performance for Joomla! sites. These improvements mainly deal with displaying Core Component Content Item data. The more content items you have visible on a page the greater the likely performance improvement.
As an example, for an install of sample data:
- The frontpage query count has decreased from 93 queries down to 44 - a 52% reduction.
- For the blog page the original 77 queries has gone down to 39 queries - a 48% reduction.
- For the License page we have gone from 35 queries to 26 queries - a 25% reduction
As an example, for the official Joomla sites:
- For the frontpage in 1.0.7 it took 95 queries to generate, with 1.0.8 it only takes 40 - a 57% reduction.
- For the `Community News`area the current page needs 394 queries, now it only needs 197 - a 50% reduction.
- For the `Version Info` page previously it was 99 queries, now it runs to only 59 queries - 40% reduction.
Please note that these query improvements will not affect 3rd party components, but as some improvements were in regards to core queries, which are always loaded, there is a small general query count improvement.
Session handling changes
To fix several problems in session handling and to increase security, the core session handling system has been overhauled. Information on these changes have been detailed here:
- New `Admin Session Lifetime`in 1.0.8
- Hardening the `Remember Me` login ability
- Important change to session handling in 1.0.8
It is important to note, that these changes WILL affect 3rd Party bridging products and users are advised to visit those Developer sites or contact Developers to see if these changes will be addressed in their products newer versions.
I would like to thank several Community Members for their crucial assistance in 1.0.8
- Steve Graham for his help with the Session Management overhaul process
- Mathijs de Jong for his internal Security Audit work
- Beat and Trail from the Community Builder Team for their extensive testing reports of 1.0.8
- All the Testing members who provided testing reports on 1.0.8
Of course every community member who reports problems (either on the tracker or the forums) assists us in helping make Joomla! an even greater product and it is only through the partnership with a strong vibrant and active community that Joomla! can continue to be successful
Rey Gigataras [stingrey]
Joomla! Software Coding and Design
Stability Team Leader