Joomla! security release

Following on from the release of Joomla! 1.5.1 [Seenu], we are pleased to announce the immediate release of Joomla! 1.0.14 [Daybreak]. This version has been triggered by reported cross site scripting problems that could occur under the right circumstances. We have also addressed many other general bugs and problems as well.

This release addresses serious security vulnerabilities and you should proceed with testing on a backup copy of your site. Once you have verified that your site works as expected, we recommend upgrade your live site as soon as possible.

RELEASE NOTES

Joomla! 1.0.14 addresses several several serious security issues that have been discovered since our last stable release, Joomla! 1.0.13. After adequate testing on a backup or sandbox version of your live site, you should upgrade to 1.0.14. Along with the security fixes listed below there were several other issues fixed in this release.

Security Fixes

  • SECURITY [LOW] Fixed XSS issue in Search Component.
  • SECURITY [LOW] Fixed XSS issue in Search results pages.
  • SECURITY [LOW] Disallowed users from adding extra wildcard filters in search strings.
  • SECURITY [LOW] Fixed multiple typos in back end Content Component making array integer check ineffective.
  • SECURITY [LOW] Fixed case-sensitive flaw in Input Filter.
  • SECURITY [HIGH] Fixed CSRF issue allowing portal compromise - Administrator components.

Other Significant Fixes

  • Administrator logout problem.
  • Fixed bug in Search Component where small word were not properly filtered out.
  • Improved efficiency of regular expressions in Search Component (thus reducing CPU resources when called).
  • Added "Preview" link to Administrator template (to match 1.5).
  • Fixed bug in pagination links (extra space was being added to the link).
  • Various core API fixes.

Upgrading

Upgrade instructions and documentation can be found on the documentation wiki at https://docs.joomla.org/Upgrade_Instructions.

Upgrading your site to 1.0.14 from any version of Joomla! 1.0.x first requires that you choose the correct patch package. For example, if you currently have version 1.0.13 installed you will need the 1.0.13 to 1.0.14 patch package.
NOTE: Patch packages for 1.0.14 only exist going back to Joomla! version 1.0.12. If you need to upgrade from an earlier version you will need to first upgrade to 1.0.13 then upgrade to 1.0.14.

Once you have downloaded the correct package you need to overwrite the files on the Joomla! site you are upgrading with the files in the patch package. This can be done by either uncompressing the Patch Package and then using an FTP client to transfer these files to your server and overwriting existing file, or if your Web Provider gives you access to your site via a Web Admin panel like CPanel or Plesk, you can use the systems file manager to upload the Patch Package file to your server and then extracting the package file and overwriting all the files on your server.

If you find errors after the process, ensure that all files were properly transferred. There have been verified reports of some FTP clients not properly transferring files across to a server - without notifying the user of such a problem. One possible cause is that under certain circumstances the web server locks the files it is using, and the ftp-server can't update those files. One possibility is to take the site shortly offline during the FTP transfer.

If you have questions about any part of this process you will get the best answers and support from fellow Joomla! users in the upgrading forum. Make sure you search to see if someone else has had the issue and found a solution that works for you. If not then feel free to post your question so someone can help.

Backing Up

Before starting an upgrade it is extremely important that you backup your site's database and if possible, also your site's files. While we try to ensure that upgrade processes are straightforward, we cannot guarantee that this will always be the case for every user. For specific questions on how to backup your site's database or files you should contact your hosting provider