Jump to content
TCH-Thomas

Joomla! Multiple Vulnerabilities

Recommended Posts

Secunia writes

Description:

Multiple vulnerabilities have been reported in Joomla!, which can be exploited by malicious users to conduct SQL injection attacks, and by malicious people to disclose system information and potentially bypass certain security restrictions.

 

1) Some unspecified input passed in the administration section isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

 

2) It is possible to disclose the full path to the installation via the syndication component and mod_templatechooser.

 

3) Access to certain resources is not properly restricted.

 

It is also possible to create arbitrary files in the "cache" directory.

 

The vulnerabilities have been reported in version 1.0.7. Prior versions may also be affected.

 

Solution:

Update to version 1.0.8.

http://forge.joomla.org/sf/go/projects.joo...oomla_1_0.1_0_8

Share this post


Link to post
Share on other sites

Thanks for the heads up Thomas. I'm developing a site in Joomla! now, so this is very timely!

Share this post


Link to post
Share on other sites

Thank´s Thomas

 

I am thinking about using Jommla and this is a good information .

Share this post


Link to post
Share on other sites

Thanks Thomas, I use Joomla on several sites and hadn't checked the home page for a couple of weeks!

 

Joomla is far the best CMS that I have come across!

 

JimE

Share this post


Link to post
Share on other sites

Quick question.

 

I see this refers to an older version of Joomla so it's not an issue for right now, but ... assuming we use Fantastico to install our Joomla's here ... does that mean TCH will do all future upgrades when new releases are available?

 

If not, what will the upgrade process be?

 

Sorry if this has been asked before.

 

Thanks, kj

Share this post


Link to post
Share on other sites

TCH does not control when cpanel or fantastico release updates to the packages they include. It is the users responsibility to be sure their sites are secure. So if you are using any of the scripts provided you should also learn how to manually apply patches as they are released.

Share this post


Link to post
Share on other sites
TCH does not control when cpanel or fantastico release updates to the packages they include. It is the users responsibility to be sure their sites are secure. So if you are using any of the scripts provided you should also learn how to manually apply patches as they are released.

 

Thanks Bruce that makes sense, however, in my experience, the updates often require running of special scripts once the archive is uncompressed (and other steps are taken, i.e., deleting of certain existing files, not all). I'm thinking about Wordpress specifically here.

 

Just wondering how this all will work.

 

-kj-

Share this post


Link to post
Share on other sites

I've never installed Joomla so I don't know how difficult or easy it is to update. But I have updated Worpress many times and it was never difficult.

Share this post


Link to post
Share on other sites
I've never installed Joomla so I don't know how difficult or easy it is to update. But I have updated Worpress many times and it was never difficult.

 

I'm totally with you - what I am not sure about is how the upgrade process will CHANGE as a result of Fantastico, that's all. You know what Wordpress requires - deleting certain folders and not others - I just am not sure how it will work with Fantastico.

 

-kj-

Share this post


Link to post
Share on other sites

You are welcome

this is a good idea for most scripts where it is active and you don't want to mess it up.

Share this post


Link to post
Share on other sites
- what I am not sure about is how the upgrade process will CHANGE as a result of Fantastico, that's all. You know what Wordpress requires - deleting certain folders and not others - I just am not sure how it will work with Fantastico.

 

Hi kj,

Fantastico adds the ability for a "quick install" of applications without having to read any documentation first. It gets you up and running with just a few clicks, anything after that is up to you.

IF you decide to use the installed package on your site that's when you have to read the software documentation and install updates according to those instructions.

 

If Wordpress (or any app for that matter) is already installed and running, Fantastico could install a version into another or test folder as Don suggests. However, you might want to watch out for default install settings (in Fantastico) that might interfere with your existing setup. You wouldn't want a test version of Wordpress using your production Wordpress database for example.

 

Let us know how it goes?

 

Thanks

Share this post


Link to post
Share on other sites

only replying here for future reference in case others are reading this -- when installing joomla for example in Fantastico. to setup joomla it does ask you for some database info that you do have to type in.

it is not total automated. (maybe :) ))

and that part is not real user friendly either. I found create the database and user name, then read what the name is, cause it's not what you typed, then type that into joomla setup.

:)

 

I am updating mine tomorrow, let you guys know if I have problems or ideas.

Edited by getitdone

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...