Joomla! - 1.0.11 Changelog

Flexible
Simple
Elegant
Customizable
Powerful
Cutting Edge Content Management

Joomla! is one of the most powerful Open Source Content Management Systems on the planet. It is used all over the world for everything from simple websites to complex corporate applications. Joomla! is easy to install, simple to manage, and reliable.
Joomla! 1.0.x

Joomla! 1.5

The Joomla! Shop presents to you a large collection of Joomla! books, as well as computer and Internet books. Purchase books in your language. This is a great way to support Joomla!
Who's Online

1.0.11 Changelog
Tuesday, 29 August 2006
---------------- 1.0.11 Stable Released -- [28-August-2006 20:00 UTC] ------------------


This Release Contains the following 26 Security Fixes

Joomla! utilizes the Open Web Application Security Project (OWASP) Top Ten Project to categorize security vunerabilities found within Joomla!
http://www.owasp.org/index.php/OWASP_Top_Ten_Project

--- - - - - - - - - ---

04 HIGH Level Threats fixed

A1 Unvalidated Input
 * Secured mosMail() against unvalidated input
 * Secured JosIsValidEmail() - in previous versions the existance of an email address somewhere in the string was sufficient
 
A6 Injection Flaws 
 * Fixed remote execution issue in PEAR.php
 * Fixed Zend Hash Del Key Or Index Vulnerability
 
--- - - - - - - - - ---
 
04 MEDIUM Level Threats fixed

A1 Unvalidated Input
 * globals.php not included in administrator/index.php
 
A2 Broken Access Control  
 * Added Missing defined( '_VALID_MOS' ) checks
 * Limit Admin `Upload Image` from uploading below `/images/stories/` directory
 * Fixed do_pdf command bypassing the user authentication

--- - - - - - - - - ---

18 LOW Level Threats fixed

A1 Unvalidated Input
 * Hardened Admin `User Manager`
 * Hardened poll module
 * Fixed josSpoofValue function to ensure the hash is a string
 
A2 Broken Access Control  
 * Secured com_content to not allow the tasks 'emailform' and 'emailsend' if $mosConfig_hideEmail is set
 * Fixed emailform com_content task bypassing the user authentication
 * Limit access to Admin `Popups` functionality 
 
A4 Cross Site Scripting 
 * Fixed XSS injection issue in Admin `Module Manager`
 * Fixed XSS injection issue in Admin `Help` 
 * Fixed XSS injection issue in Search 

A6 Injection Flaws 
 * Harden loading of globals.php by using require() instead of include_once();
 * Block potential misuse of $option variable
 * Block against injection issue in Admin `Upload Image`  
 * Secured against possible injection attacks on ->load()
 * Secured against injection attack on content submissions where frontpage is selected
 * Secured against possible injection attack thru mosPageNav constructor
 * Secured against possible injection attack thru saveOrder functions
 * Add exploit blocking rules to htaccess
 * Harden ACL from possible injection attacks 


-- -- -- -- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- --


28-Aug-2006 Rey Gigataras
 # SECURITY A6 [ LOW Level ]: Block potential misuse of $option variable


28-Aug-2006 Andrew Eddie
 # SECURITY A6 [ LOW Level ]: Harden ACL from possible injection attacks 


24-Aug-2006 Rey Gigataras
 # SECURITY A6 [ LOW Level ]: Add exploit blocking rules to htaccess
 # SECURITY A6 [ LOW Level ]: Harden loading of globals.php by using require() instead of include_once();
 
 + Installation Security Warning check 
 + Admin & Installation Version age warning 


23-Aug-2006 Rey Gigataras
 # SECURITY A2 [ MEDIUM Level ]: Missing defined( '_VALID_MOS' ) checks
 
 + Admin Security Warning check 
 

21-Aug-2006 Rey Gigataras
 # SECURITY A1 [ LOW Level ]: Hardened Admin `User Manager`
  

19-Aug-2006 Rey Gigataras
 # SECURITY A2 [ MEDIUM Level ]: Limit Admin `Upload Image` from uploading below `/images/stories/` directory
 # SECURITY A2 [ LOW Level ]: Limit access to Admin `Popups` functionality 
 # SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Admin `Module Manager`
 # SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Admin `Help` 
 # SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Search 
 # SECURITY A6 [ LOW Level ]: [topic,73761] : Block against injection issue in Admin `Upload Image` 


19-Aug-2006 Enno Klasing
 # SECURITY A1 [ HIGH Level ]: Secured mosMail() against unvalidated input
 # SECURITY A1 [ HIGH  Level ]: Secured JosIsValidEmail() - in previous versions the existance of an email address somewhere in the string was sufficient
 # SECURITY A2 [ LOW Level ]: Secured com_content to not allow the tasks 'emailform' and 'emailsend' if $mosConfig_hideEmail is set
 
 # Fixed : Empty subject in com_content mail2friend no longer possible
 # Fixed : Show error message if com_content mail2friend fails
 # Fixed : Show error message if com_contact mail fails
 ^ Moved all instances of is_email() amalgamated into JosIsValidEmail in /includes/joomla.php


18-Aug-2006 Rey Gigataras
 # SECURITY A1 [ MEDIUM Level ]: globals.php not included in administrator/index.php 
 # SECURITY A2 [ MEDIUM Level ]: do_pdf command bypasses the user authentication
 # SECURITY A2 [ LOW Level ]: emailform com_content task bypasses the user authentication
 # SECURITY A1 [ LOW Level ]: harden poll module
 
 # Fixed [topic,72209] : Mambots fired on Modules
 + enable selective disabling of `Email Cloaking` bot via {emailcloak=off}


17-Aug-2006 Rey Gigataras
 + PERFORMANCE : Cache handling expanded to com_content showItem
 # Fixed [artf5266] : Blog-view shows "more..." even without intros
 # Fixed [topic,81673] : frontend.php itemid issue


17-Aug-2006 Mateusz Krzeszowiec
 # Fixed logging query before applying LIMIT 


15-Aug-2006 Marko Schmuck
 # SECURITY A6 [ LOW Level ]: possible injection attacks on ->load()


15-Aug-2006 Andrew Eddie
 # SECURITY A6 [ HIGH Level ]: remote execution issue in PEAR.php


15-Aug-2006 Mateusz Krzeszowiec
 # PERFORMANCE [topic,83325] : SQL LIMIT in com_content frontend


14-Aug-2006 Andrew Eddie
 # SECURITY A6 [ LOW Level ]: Injection attack on content submissions where frontpage is selected
 # SECURITY A6 [ LOW Level ]: possible injection attack thru mosPageNav constructor
 # SECURITY A6 [ LOW Level ]: possible injection attack thru saveOrder functions


07-Aug-2006 Andrew Eddie
 # SECURITY A6 [ HIGH Level ]: Zend Hash Del Key Or Index Vulnerability
 # SECURITY A1 [ LOW Level ]: josSpoofValue function to ensure the hash is a string


28-July-2006 Robin Muilwijk
 # Fixed [artf5291] : missing onChange javascript code for filter field


27-July-2006 Robin Muilwijk
 # SECURITY A2 [ MEDIUM Level ]: [artf5335] : missing direct access line
 
 # Fixed [artf5282] : missing table row tag and self closing tag
 # Fixed [artf5297] : small html errors


17-July-2006 Robin Muilwijk
 # Fixed [artf5157] : typo in media manager
 # Fixed [artf5218] : duplicate entry of artf5157, typo in media manager


03-July-2006 Rey Gigataras
 # Fixed [artf5181] : 5 step for unrecoverable admin-page crash.
 # Fixed [artf5123] : Wrong name of function in joomla.cache.php
 # Fixed [artf5126] : includes/database.php uses deprecated function
 # Fixed [artf5171] : mosGetParam Default value issue
 # Fixed [artf5112] : A mere mistake in the file contact.html.php
 

---------------- 1.0.10 Stable Released -- [26-June-2006 00:00 UTC] ------------------
< Prev		Next >
[ Back ]