Home The News Security issues for Joomla 1.5
Security issues for Joomla 1.5 PDF Print E-mail
User Rating: / 9
PoorBest 
Written by Murat Esgin   
Wednesday, 06 February 2008 20:26

Joomla! Team Blog (by willebil) says:
Security announcement
After releasing Joomla! 1.5 stable we have discovered a high priority security issue. The vulnerability has been discovered in XML-RPC in combination with the blogger API. There is a security problem in this code that makes it possible to alter the articles on your site (including removal). This problems has been fixed currently by members of the development team and the Joomla! bug squad, solution is now available from Subversion. So what do you need to do until we release Joomla! 1.5.1?

All Joomla! users who have enabled the XML-RPC Blogger API plugin should disable it!

If you have never enabled this plugin you do not need to do anything.

Progress toward 1.5.1

Beside this security fix we have been working on fixing other issues that where found after we released Joomla! 1.5. Let’s share the 1.5.1 highlights thus far:

  1. Fixed XML-RPC/Blogger security issue.
  2. Fix to sef issues including creation of optional livesite parameter if needed which will also allow reverse proxy.
  3. Change to mass mail so that blind carbon is used, protecting email addresses of your users.
  4. Fix to date function that was causing an error in the end publication date for some systems.
  5. Fixed UTF 8 database detection
  6. Addressed a number of internationalization issues.
  7. Fixes to a number of minor issues
More help?

Thanks to all who have contributed issue reports, comments, suggestions and patches and for those who have tested proposed patches. You can help by following the tracker. In particular, you can help by:

  • confirming or disconfirming open issues,
  • proposing solutions (preferably with a patch file) for confirmed issues
  • testing patches associated with pending issues.

And of course you can join the Joomla! bug squad if you want to help out on a regular basis.

Admin note: This bugs fixed for Joomla daily svn files!

Changelog since joomla 1.5 stable core:

05-Feb-2008 Anthony Ferrara
# Fixed [9552] Added missing DOMMIT files
# Fixed [9620] When trying to login, the site returns 'Invalid Token'
# Added live_site parameter to config, and JURI::base override (fixes SEF and proxy issues)

05-Feb-2008 Ian MacLennan
# Fixed [9512] Removed superfluous references to JUser
# Fixed [9596] Incorrect language string in Beez
# Fixed [9257] Fixed comments in index.php and administrator/index.php
# Fixed [9399] XMLRPC Blogger more_text tag problem
* Fixed [9406] XMLRPC Blogger API

05-Feb-2008 Andrew Eddie
# Turned XML-RPC server off by default

04-Feb-2008 Wilco Jansen
# Fixed [9111] error.php contains a relative url to Home Page (Thanks Jens)
# Fixed [9516] Links in archive module don't work with SEF (Thanks Jens)
# Fixed [9211] Installation always falling back to joomla_backwards.sql (Thanks Jens)

01-Feb-2008 Ian MacLennan
# Fixed [#9320] Problem with allowing HTML in requests [patch] (Thanks Jens)

01-Feb-2008 Anthony Ferrara
* Fixed remote execution vulnerability in phpmailer
# [#6730] batchQuery() Bug: Broken splitting function
# [#8776] Mass Email BCC option (Thanks JM)

30-Jan-2008 Anthony Ferrara
# Fixed htaccess instructions (refering to a second section that was removed)
# [topic,257873] Fixed possible notice with com_content router
# [#9518] When creating menu item for a poll, you cannot select poll (Thanks Ian MacLennan)
# [#9383] Search for contacts generates bad links (Thanks Jens-Christian Skibakk)
# [#9426] PopUp Url link broken

29-Jan-2008 Ian MacLennan
# Fixed [#9342] Poll goes 404 after voting - fixed redirect URL.

28-Jan-2008 Anthony Ferrara
# Fixed memcache session driver config param loading (changed it to work like cache driver)
# [#9225] Typo in joomla_backwards.sql (Thanks Jens-Christian Skibakk)
# [#8823] Modules don't show up when eAccelerator is enabled (Thanks Dalibor Karlovic)

28-Jan-2008 Robin Muilwijk
# Fixed [#9472] Session not cleared properly
# Fixed [#9291] Error in call method
# Fixed [#9251] Additional double quote in weblink's template
# Fixed [#8173] Problem with preg_quote in function utf8_ireplace

27-Jan-2008 Wilco Jansen
^ Remove the installation check
# [9401] Help in backend showind 404 [Patch], thanks Jens-Christian Skibakk for the patch
# [9412] publish_down is initialized to 1970 in some environments, thanks Kevin for the patch

-------------------- 1.5.0 Stable Release [21-January-2008] ---------------------

Downlod joomla 1.5 Nightly Builds

Social Bookmarking
BlinkList     Del.icio.us     Digg This!     Facebook     Furl     Google     Mr. Wong
    Seed Newsvine     Reddit     Slashdot     Stumble It!     Technorati     Yahoo MyWeb
< Prev   Next >
Last Updated ( Wednesday, 13 February 2008 15:34 )
 
Copyright © 2008 Joomla Turkish translation and free templates. All Rights Reserved.
Joomla! is Free Software released under the GNU/GPL License.