Security Fixes

Joomla! 1.0.9 Contains twelve (12) fixes for Low Level Security Vulnerabilities.

Low Level Threat Fixes

A1 Unvalidated Input
  •  A1 - Harden mosmsg
  •  A1 - Hardening of backend `User Manager` to stop 'Administrators' from being able to create 'Super Administrator' users
A2 Broken Access Control
  • A2 - Breadcrumbs title visibility even when access restricted
  • A2 - 'Edit Your Details' page now needs a published menu item to be accessible
  • A2 - 'Check-In My Items' page now needs a published menu item to be accessible
  • A2 - 'Submit News' page now needs a published menu item to be accessible
  • A2 - 'Submit Weblink' page now needs a published menu item to be accessible
  • A2 - Add ability to selectively disable certain types of syndicated feeds
  • A2 - Ensure module caching does not inadvertently make special level modules visible to registered users
  • A2 - Add ability to totally disable access to frontend login page
  • A2 - Add ability to disable frontend user params
A3 - Broken Authentication and Session Management
  •  A3 - Changes to access level of user account will kill any active session for that user

OWASP Vulnerability Categorization

Since 1.0.8, Joomla! has started adopting the Open Web Application Security Project (OWASP) Top Ten Vulnerability categorization system, to standardize the categorization of security vulnerability reports.

OWASP Top Ten list here