Joomla! Multiple Vulnerabilities

[TCH-Thomas]

Secunia writes

Description:

Multiple vulnerabilities have been reported in Joomla!, which can be exploited by malicious users to conduct SQL injection attacks, and by malicious people to disclose system information and potentially bypass certain security restrictions.

 

1) Some unspecified input passed in the administration section isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

 

2) It is possible to disclose the full path to the installation via the syndication component and mod_templatechooser.

 

3) Access to certain resources is not properly restricted.

 

It is also possible to create arbitrary files in the "cache" directory.

 

The vulnerabilities have been reported in version 1.0.7. Prior versions may also be affected.

 

Solution:

Update to version 1.0.8.

http://forge.joomla.org/sf/go/projects.joo...oomla_1_0.1_0_8

[TCH-Bruce]

Thanks Thomas

[TCH-Rob]

Thanks Thomas

[stevevan]

Thanks for the heads up Thomas. I'm developing a site in Joomla! now, so this is very timely!

[TCH-Don]

Thanks Thomas

[Prel]

Thank´s Thomas

 

I am thinking about using Jommla and this is a good information .

[TCH-JimE]

Thanks Thomas, I use Joomla on several sites and hadn't checked the home page for a couple of weeks!

 

Joomla is far the best CMS that I have come across!

 

JimE

[kjarrett]

Quick question.

 

I see this refers to an older version of Joomla so it's not an issue for right now, but ... assuming we use Fantastico to install our Joomla's here ... does that mean TCH will do all future upgrades when new releases are available?

 

If not, what will the upgrade process be?

 

Sorry if this has been asked before.

 

Thanks, kj

[TCH-Bruce]

TCH does not control when cpanel or fantastico release updates to the packages they include. It is the users responsibility to be sure their sites are secure. So if you are using any of the scripts provided you should also learn how to manually apply patches as they are released.

[kjarrett]

TCH does not control when cpanel or fantastico release updates to the packages they include. It is the users responsibility to be sure their sites are secure. So if you are using any of the scripts provided you should also learn how to manually apply patches as they are released.

 

Thanks Bruce that makes sense, however, in my experience, the updates often require running of special scripts once the archive is uncompressed (and other steps are taken, i.e., deleting of certain existing files, not all). I'm thinking about Wordpress specifically here.

 

Just wondering how this all will work.

 

-kj-

[TCH-Bruce]

I've never installed Joomla so I don't know how difficult or easy it is to update. But I have updated Worpress many times and it was never difficult.

[kjarrett]

I've never installed Joomla so I don't know how difficult or easy it is to update. But I have updated Worpress many times and it was never difficult.

 

I'm totally with you - what I am not sure about is how the upgrade process will CHANGE as a result of Fantastico, that's all. You know what Wordpress requires - deleting certain folders and not others - I just am not sure how it will work with Fantastico.

 

-kj-

[TCH-Don]

You can always install another copy in a test folder and practice upgrading it.

[kjarrett]

I may give that a try, thanks Don!

[TCH-Don]

You are welcome

this is a good idea for most scripts where it is active and you don't want to mess it up.

[Kevan]

- what I am not sure about is how the upgrade process will CHANGE as a result of Fantastico, that's all. You know what Wordpress requires - deleting certain folders and not others - I just am not sure how it will work with Fantastico.

 

Hi kj,

Fantastico adds the ability for a "quick install" of applications without having to read any documentation first. It gets you up and running with just a few clicks, anything after that is up to you.

IF you decide to use the installed package on your site that's when you have to read the software documentation and install updates according to those instructions.

 

If Wordpress (or any app for that matter) is already installed and running, Fantastico could install a version into another or test folder as Don suggests. However, you might want to watch out for default install settings (in Fantastico) that might interfere with your existing setup. You wouldn't want a test version of Wordpress using your production Wordpress database for example.

 

Let us know how it goes?

 

Thanks

[getitdone]

only replying here for future reference in case others are reading this -- when installing joomla for example in Fantastico. to setup joomla it does ask you for some database info that you do have to type in.

it is not total automated. (maybe ))

and that part is not real user friendly either. I found create the database and user name, then read what the name is, cause it's not what you typed, then type that into joomla setup.

 

I am updating mine tomorrow, let you guys know if I have problems or ideas.

Edited April 17, 2006 by getitdone