Joomla Security Related Announcements (26 June 2006 last announcement)

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

Joomla Security Related Announcements (26 June 2006 last announcement)

Postby stingrey » Tue Feb 21, 2006 10:13 pm

2006-02-21 - Joomla! 1.0.x is not affected by recent Mambo Vulnerability

There is some concern in the community about the recent Vunerability that affects the Mambo codebase as announced on the Mambo homepage and here:
http://forum.mamboserver.com/showthread ... post335532

Our internal testing and direct contact with GulfTech Research And Development - the discoverer of the Mambo vunerability - has confirmed that the vunerability does NOT affect the Joomla! 1.0.x codebase.  This security weakness was addressed in Joomla! 1.0.0

However, you need to ensure that you are at least be running Joomla! 1.0.4, as 1.0.3 and below are vulnerable to an unrelated Critical Level security threat as explained in the 1.0.4 release article:
http://www.joomla.org/content/view/498/74/
Critical is Joomla! highest security rating and represents a security vulnerability that can lead to a site loss.

1.0.8 will be out very shortly and all Joomla! users should upgrade to this version.


This is a direct copy of my blog post here:
http://dev.joomla.org/component/option, ... d,33/p,35/
Last edited by Hackwar on Thu Jul 13, 2006 10:27 am, edited 1 time in total.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

2006-02-20 - Joomla not affected by report about Linux worm targetting Mambo

Postby stingrey » Wed Feb 22, 2006 6:14 pm

2006-02-20 - Joomla not affected by report about Linux worm targetting Mambo

There is some concern in the community about recent reports over the Electronic press about a Linux worm that utilizes a security flaw in Mambo reported by F-Secure, as can be seen by these 2 reports:
http://www.theregister.co.uk/2006/02/20/linux_worm/
http://www.infoworld.com/article/06/02/ ... 2006-02-27



This is an OLD vulnerability.
This vunerability does NOT affect the latest versions of Mambo or Joomla!

It also has NOTHING to do with a recent vulnerability in Mambo found by Gulftech, which I blogged here:
http://dev.joomla.org/component/option, ... d,33/p,35/

This vulnerability only affects Mambo 4.5.2.0 and was fixed in Mambo 4.5.2.1 on 25th of February 2005:
http://secunia.com/advisories/14337



This means this is a bug now a year old. The only way this vunerability can be exploited is if you are using Mambo 4.5.2.0 - if you are you MUST upgrade to the latest version of Mambo, which is Mambo 4.5.3h + security patch 1. Otherwise I would suggest migrating to Joomla 1.0.7, the instructions for which can be found here:
http://help.joomla.org/content/view/818/132/



This is an exact copy of my blog here:
http://dev.joomla.org/component/option, ... d,33/p,36/
Last edited by Tonie on Sun Apr 16, 2006 9:59 am, edited 1 time in total.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

2006-03-03 - Latest Secunia Advisory is based on 1.0.8 Release information

Postby stingrey » Fri Mar 03, 2006 6:41 pm

2006-03-03 - Latest Secunia Advisory is based on 1.0.8 Release information

http://dev.joomla.org/component/option, ... d,33/p,56/
Secunia has released a new security advisory, however if you are running Joomla! 1.0.8 you have NOTHING to worry about:
http://secunia.com/advisories/19105/

In fact their advisory is based on our official Joomla! 1.0.8 Release information, as can be read via this line:
  Provided and/or discovered by:
    Reported by the vendor.

Basically it means that they have taken our information here
http://www.joomla.org/content/view/940/74/1/3/
to create their report.

So if you are running Joomla! 1.0.8, NONE of these vunerabilites affect you, as 1.0.8 was specifically released to correct these vunerabilities.
Read the rest of this entry »
Last edited by Tonie on Sun Apr 16, 2006 10:00 am, edited 1 time in total.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
stingrey
Joomla! Hero
Joomla! Hero
Posts: 2756
Joined: Mon Aug 15, 2005 4:36 pm
Location: Marikina, Metro Manila, Philippines
Contact:

2006-03-13 - Joomla! 1.0.3 and below is vulnerable to a CRITICAL Security flaw

Postby stingrey » Mon Mar 13, 2006 5:52 pm

2006-03-13 - Joomla! 1.0.3 and below is vulnerable to a CRITICAL Security flaw
If you are running Joomla! 1.0.3, 1.0.2, 1.0.1 or 1.0.0 then you MUST upgrade to at LEAST 1.0.4

Joomla! 1.0.3 and below are vulnerable to a CRITCIAL LEVEL security threat.
Critical is the highest security rating we give to a vulnerability.

This vulnerability can lead to your site being hacked/attacked by malicious users and lead to a loss of control of your site.
There have been confirmed reports of sites running these versions of Joomla! being attacked by this vulnerability and there are automated scripts that parse the internet and automatically test sites for this vulnerability - even non-joomla sites.

We highly recommend you upgrade to the latest version of Joomla!:
http://www.joomla.org/content/blogcategory/32/66/

The succeeding versions of Joomla! have additional lower level security fixes.
Last edited by Tonie on Sun Apr 16, 2006 10:00 am, edited 1 time in total.
Rey Gigataras
http://www.wizmediateam.com <-- great team of talented Web Designers and Programmers!
http://about.me/reygigataras <-- About Me :)
Partner, Business Development & Project Manager, Event Manager, Sports Coach :D

User avatar
Hackwar
Joomla! Virtuoso
Joomla! Virtuoso
Posts: 3748
Joined: Fri Sep 16, 2005 8:41 pm
Location: NRW - Germany
Contact:

Re: Joomla Security Related Announcements (26 June 2006 last announcement)

Postby Hackwar » Thu Jul 13, 2006 10:26 am

In all Joomla! versions up to 1.0.9 there have been two security vulnerabilities. One of these was a High Level Security threat, therefore we strongly advise you to upgrade to at least 1.0.10!!

Vulnerabilities:

SQL Injection into Weblinks component
This vulnerability is of a very critical nature and could allow people direct access to your site. This also affects your site when the component is not published! Read more about it here. This has been fixed in Joomla! 1.0.10!

XSS Cross-Site Scripting vulnerability
This is a Low Level security threat. Read more about it here

We highly recommend you upgrade to the latest version of Joomla!:
http://www.joomla.org/content/blogcategory/32/66/

The succeeding versions of Joomla! have additional lower level security fixes.
god doesn't play dice with the universe. not after that drunken night with the devil where he lost classical mechanics in a game of craps.

Since the creation of the Internet, the Earth's rotation has been fueled, primarily, by the collective spinning of English teachers in their graves.


Return to “Security - 1.0.x”

Who is online

Users browsing this forum: No registered users and 2 guests