Support Joomla!
  • Flexible
  • Simple
  • Elegant
  • Customizable
  • Powerful
 screenshot

Cutting Edge Content Management

Joomla! is one of the most powerful Open Source Content Management Systems on the planet. It is used all over the world for everything from simple websites to complex corporate applications. Joomla! is easy to install, simple to manage, and reliable.
 
Joomla! 1.0.8 Released PDF Print E-mail
Sunday, 26 February 2006
Article Index
Joomla! 1.0.8 Released
Packages
Security Audit
Security Fixes
Security Alerts
Other Fixes
Thanks
Page 4 of 7

Security Vunerabilities

Joomla! 1.0.8 Contains thirty-seven (37)  fixes for Security Vunerabilities.  14 Medium Level threats and 23 Low Level threats

Medium Level Threat Fixes 

  • A3 - Hardening of Remember Me login functionality
    •                                                                   
  • A7 - Protect against real server path disclosure via syndication component
    •                                                
  • A1 - Limit arbitrary file creation via syndication component
    •                                                
  • A7 - Protect against real server path disclosure in mod_templatechooser

  • A9 - Inputfilter vunerable to DOS attacks
    •                                                 
  • A2 - Disallow `Weblink` item from being accessible when 'unpublished'
    •                                                                                           
  • A2 - Disallow `Polls` item from being accessible when 'unpublished'

  • A2 - Disallow `Newfeeds` item from being accessible when category 'unpublished'

  • A2 - Disallow `Weblinks` item from being accessible when category 'unpublished' 

  • A2 - Disallow `Content` item from being accessible despite section/category 'access level'

  • A2 - Disallow `Newsfeed` item from being accessible despite category 'access level'

  • A2 - Disallow `Weblink` item from being accessible despite category 'access level' 

  • A2 - Disallow `Content` item from being visible despite category 'access level' 
  •           - `Blog - Content Section` & `Blog - Content Section Archive`

  • A2 - Disallow `Content` items from being viewable when category/section 'unpublished' 
               - mod_newsflash

Low Level Threat Fixes 

  • A3 - Harden frontend Session ID
    •                                                                   
  • A6 - Harden against multiple Admin SQL Injection Vulnerabilities
    •                                                
  • A1 - Disable ability to enter more than one email address in Contact Component contact form
    •                                                
  • A1 - Harden Contact Component with param option to check for existance of session cookie 
               - enabled by default
    •                                                 
  • A3 - Addiotional check for correct Admin session name 
    •                                                                                           
  • A2 - Disallow access to syndication functionality

  • A2 - Disallow `Newsfeeds` Categories from being accessible when 'unpublished'

  • A2 - Disallow `Contact` Categories from being accessible when 'unpublished'

  • A2 - Disallow `Weblink` Categories from being accessible when 'unpublished'

  • A2 - Disallow `Content Section` from being accessible when section 'unpublished' 
               - `List - Content Section`

  • A2 - Disallow `Content Category` from being accessible when category/section 'unpublished' 
               - `Table - Content Category`

  • A2 - Disallow `Contact` Categories from being accessible as per category 'access level'

  • A2 - Disallow `Newsfeeds` Categories from being accessible as per category 'access level'

  • A2 - Disallow `Weblinks` Categories from being accessible as per category 'access level'

  • A2 - Disallow `Content Section` from being accessible as per section 'access level' 
               - `List - Content Section`

  • A2 - Disallow `Content Category` from being accessible as per section/category 'access level' 
               - `Table - Content Category`

  • A2 - Disallow `Content Category` from being accessible as per category 'access level' 
               - `Blog - Content Category` & `Blog - Content Category Archive`

  • A2 - Disallow `Content` item links from being visible as per category/section 'access level' 
               - mod_newsflash, mod_latestnews, mod_mostread

OWASP Vunerability Categorization

As part of our improved focus on security, we are adopting the Open Web Application Security Project (OWASP) Top Ten Vulnerability categorization system, to standardize the categorization of security vulnerability reports.  The legend of the vulnerability categories for the vunerabilities above are listed below ( full list here ):

  • A1 - Unvalidated Input

  • A2 - Broken Access Control

  • A3 - Broken Authentication and Session Management

  • A6 - Injection Flaws

  • A7 - Improper Error Handling

  • A9 - Denial of Service
 
< Prev   Next >
[ Back ]