NYCPHP Meetup

NYPHP.org

[joomla] Fw: Joomla! Security News

ozzie sutcliffe oz.sutcliffe at gmail.com
Sat Jan 10 12:17:55 EST 2009


If you use the com object below and you can upgrade your site in one
click and it will monitor Joomla for the latest and greatest.

Warning : If you hacked any core it will be overwritten.

com_joomlaupdaterv1.4.0.zip

Ozzie

On Sat, Jan 10, 2009 at 9:19 AM, Donna Marie Vincent
<donnamarievincent at yahoo.com> wrote:
>
> ----- Forwarded Message ----
> From: Joomla! Developer - Vulnerability News <no_reply at joomla.org>
> To: donnamarievincent at yahoo.com
> Sent: Saturday, January 10, 2009 8:42:43 AM
> Subject: Joomla! Security News
>
> Joomla! Security News
>
> [20090102] - Core - plg_xstandard Directory Traversal
>
> Posted: 09 Jan 2009 08:22 AM PST
>
> Project: Joomla!
> SubProject: plg_xstandard
> Severity: High
> Versions: 1.5.8 and all previous 1.5 releases
> Exploit type: Directory Traversal
> Reported Date: 2009-January-7
> Fixed Date: 2009-January-9
>
> Description
>
> A crafted request can cause disclosure of the directory structure on the
> server (including any directory that php has access to).
>
> Affected Installs
>
> All 1.5.x installs prior to and including 1.5.8 are affected.
>
> Solution
>
> Upgrade to latest Joomla! version (1.5.9 or newer).
>
> Contact
>
> The JSST at the Joomla! Security Center.
>
> [20090101] - Core - JSession SSL Session Disclosure
>
> Posted: 09 Jan 2009 08:12 AM PST
>
> Project: Joomla!
> SubProject: framework
> Severity: Low
> Versions: 1.5.8 and all previous 1.5 releases
> Exploit type: Session Hijacking/
> Reported Date: 2008-November-20
> Fixed Date: 2009-January-9
>
> Description
>
> When running a site under SSL ONLY (the entire site is forced to be under
> ssl), Joomla! does not set the SSL flag on the cookie.  This can allow
> someone monitoring the network to find the cookie related to the session.
> Please note that all data is still transferred securely.
>
> Affected Installs
>
> 1.5.8 and lower installs which are run with SSL only (no non-ssl access).
>
> Solution
>
> Upgrade to latest Joomla! version (1.5.8 or newer), and set force_ssl in
> global configuration. Alternatively, the php setting session.secure_cookie
> can be set in .htaccess or php.ini.  Joomla! (all versions) will respect
> this setting.
>
> Reported By Hanno Boeck
>
> Contact
>
> The JSST at the Joomla! Security Center.
>
> You are subscribed to email updates from Joomla! Developer - Vulnerability
> News
> To stop receiving these emails, you may unsubscribe now.Email delivery
> powered by Google
> Inbox too full? Subscribe to the feed version of Joomla! Developer -
> Vulnerability News in a feed reader.
> If you prefer to unsubscribe via postal mail, write to: Joomla! Developer -
> Vulnerability News, c/o Google, 20 W Kinzie, Chicago IL USA 60610
> _______________________________________________
> New York PHP SIG: Joomla! Mailing List
> http://lists.nyphp.org/mailman/listinfo/joomla
>
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
>
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>



More information about the Joomla mailing list