Page 1 of 1

1.0.15 IS IT STILL SECURE?

Posted: Tue Feb 03, 2009 11:50 am
by szonkie
Hi there,

I need to consider moving to the latest Joomla at some point but at the moment its just too much work considering I have Docman and JACL Plus running with a lot of access levels and documentation.
My question is therefore is the current Joomla 1.0.15 still safe enough to leave as is, I have the site over https and on an internal server.

Thanks
sz

Re: 1.0.15 IS IT STILL SECURE?

Posted: Tue Feb 03, 2009 11:55 am
by Tonie
Joomla! 1.0.15 will be supported until 22 july of this year. There are no security issues, and have not been for a long time.

Re: 1.0.15 IS IT STILL SECURE?

Posted: Tue Feb 03, 2009 12:14 pm
by szonkie
Okay thanks for that.

Re: 1.0.15 IS IT STILL SECURE?

Posted: Tue Nov 15, 2011 6:49 pm
by deleted user
NO IT IS NOT SECURE!!

At least one vulnerability exists in the core search module as of July 2011:
http://securityvulns.com/Zdocument452.html

Re: 1.0.15 IS IT STILL SECURE?

Posted: Wed Nov 16, 2011 10:13 pm
by beededea
Joomla 1.0.15 is generally secure if your extensions are secure, you run on a secure server and backup regularly. At least that is my experience. With regard to dpk's post, I had previously made these changes to search.php and search.html.php which fixed this vulnerability.

components/com_search/search.php line 119 (approx.)
comment out these lines:

//$ordering = mosGetParam( $_REQUEST, 'ordering', 'newest');
//$ordering = preg_replace( '/[^a-z]/', '', strtolower( $ordering ) );

replaced with these:

$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest') ) );
$ordering = preg_replace( '/[^a-z]/', '', strtolower( $ordering ) );
$ordering = preg_replace( '~^(\w+).*$~', '\1', $ordering );
//$ordering = filter_var($ordering, FILTER_SANITIZE_STRING);

and components/com_search/search.html.php: (line 124 approx)

$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest' ) ) );

add the new line just after as shown below:

$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest' ) ) );
$ordering = preg_replace( '~^(\w+).*$~', '\1', $ordering );
//$ordering = filter_var($ordering, FILTER_SANITIZE_STRING);

I got these from a site somewhere along, long time ago so I take no credit for the changes. I had also previously added :

$ordering = filter_var($ordering, FILTER_SANITIZE_STRING);

but I commented it out as filter_var it was not supported on PHP 5.1 but it might also help if you are on PHP 5.1 + as you probably will be.

Re: 1.0.15 IS IT STILL SECURE?

Posted: Wed Nov 16, 2011 11:03 pm
by beededea

Re: 1.0.15 IS IT STILL SECURE?

Posted: Thu Nov 17, 2011 9:35 am
by szonkie
Hey thanks for the advice and feedback, much appreciated. :D