Hi there,
I need to consider moving to the latest Joomla at some point but at the moment its just too much work considering I have Docman and JACL Plus running with a lot of access levels and documentation.
My question is therefore is the current Joomla 1.0.15 still safe enough to leave as is, I have the site over https and on an internal server.
Thanks
sz
1.0.15 IS IT STILL SECURE?
-
- Joomla! Explorer
- Posts: 256
- Joined: Thu Jul 05, 2007 10:41 am
- Tonie
- Joomla! Master
- Posts: 16584
- Joined: Thu Aug 18, 2005 7:13 am
Re: 1.0.15 IS IT STILL SECURE?
Joomla! 1.0.15 will be supported until 22 july of this year. There are no security issues, and have not been for a long time.
-
- Joomla! Explorer
- Posts: 256
- Joined: Thu Jul 05, 2007 10:41 am
Re: 1.0.15 IS IT STILL SECURE?
Okay thanks for that.
Re: 1.0.15 IS IT STILL SECURE?
NO IT IS NOT SECURE!!
At least one vulnerability exists in the core search module as of July 2011:
http://securityvulns.com/Zdocument452.html
At least one vulnerability exists in the core search module as of July 2011:
http://securityvulns.com/Zdocument452.html
- beededea
- Joomla! Hero
- Posts: 2809
- Joined: Wed Oct 31, 2007 3:48 pm
- Location: Victorian England 1885
Re: 1.0.15 IS IT STILL SECURE?
Joomla 1.0.15 is generally secure if your extensions are secure, you run on a secure server and backup regularly. At least that is my experience. With regard to dpk's post, I had previously made these changes to search.php and search.html.php which fixed this vulnerability.
components/com_search/search.php line 119 (approx.)
comment out these lines:
//$ordering = mosGetParam( $_REQUEST, 'ordering', 'newest');
//$ordering = preg_replace( '/[^a-z]/', '', strtolower( $ordering ) );
replaced with these:
$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest') ) );
$ordering = preg_replace( '/[^a-z]/', '', strtolower( $ordering ) );
$ordering = preg_replace( '~^(\w+).*$~', '\1', $ordering );
//$ordering = filter_var($ordering, FILTER_SANITIZE_STRING);
and components/com_search/search.html.php: (line 124 approx)
$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest' ) ) );
add the new line just after as shown below:
$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest' ) ) );
$ordering = preg_replace( '~^(\w+).*$~', '\1', $ordering );
//$ordering = filter_var($ordering, FILTER_SANITIZE_STRING);
I got these from a site somewhere along, long time ago so I take no credit for the changes. I had also previously added :
$ordering = filter_var($ordering, FILTER_SANITIZE_STRING);
but I commented it out as filter_var it was not supported on PHP 5.1 but it might also help if you are on PHP 5.1 + as you probably will be.
components/com_search/search.php line 119 (approx.)
comment out these lines:
//$ordering = mosGetParam( $_REQUEST, 'ordering', 'newest');
//$ordering = preg_replace( '/[^a-z]/', '', strtolower( $ordering ) );
replaced with these:
$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest') ) );
$ordering = preg_replace( '/[^a-z]/', '', strtolower( $ordering ) );
$ordering = preg_replace( '~^(\w+).*$~', '\1', $ordering );
//$ordering = filter_var($ordering, FILTER_SANITIZE_STRING);
and components/com_search/search.html.php: (line 124 approx)
$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest' ) ) );
add the new line just after as shown below:
$ordering = strtolower( strval( mosGetParam( $_REQUEST, 'ordering', 'newest' ) ) );
$ordering = preg_replace( '~^(\w+).*$~', '\1', $ordering );
//$ordering = filter_var($ordering, FILTER_SANITIZE_STRING);
I got these from a site somewhere along, long time ago so I take no credit for the changes. I had also previously added :
$ordering = filter_var($ordering, FILTER_SANITIZE_STRING);
but I commented it out as filter_var it was not supported on PHP 5.1 but it might also help if you are on PHP 5.1 + as you probably will be.
Yereverluvinunclebert
Steampunk widgets. Platforms of choice: Joomla 1.0/1.5, Joostina 1.2, OSCommerce
Site aims: Optimisation, Security and Solidity
http://widgets.yahoo.com/widgets/steamp ... k-calendar
Steampunk widgets. Platforms of choice: Joomla 1.0/1.5, Joostina 1.2, OSCommerce
Site aims: Optimisation, Security and Solidity
http://widgets.yahoo.com/widgets/steamp ... k-calendar
- beededea
- Joomla! Hero
- Posts: 2809
- Joined: Wed Oct 31, 2007 3:48 pm
- Location: Victorian England 1885
Re: 1.0.15 IS IT STILL SECURE?
Doh! here it is - http://forum.joomla.org/viewtopic.php?p=2415259
Yereverluvinunclebert
Steampunk widgets. Platforms of choice: Joomla 1.0/1.5, Joostina 1.2, OSCommerce
Site aims: Optimisation, Security and Solidity
http://widgets.yahoo.com/widgets/steamp ... k-calendar
Steampunk widgets. Platforms of choice: Joomla 1.0/1.5, Joostina 1.2, OSCommerce
Site aims: Optimisation, Security and Solidity
http://widgets.yahoo.com/widgets/steamp ... k-calendar
-
- Joomla! Explorer
- Posts: 256
- Joined: Thu Jul 05, 2007 10:41 am
Re: 1.0.15 IS IT STILL SECURE?
Hey thanks for the advice and feedback, much appreciated. 
