NYCPHP Meetup

NYPHP.org

[joomla] New Joomla release 1.5.13: Joomla! Security News

Anthony Ferrara ircmaxell at yahoo.com
Thu Jul 23 19:28:51 EDT 2009 

Don't hold off.  The 2nd security issue is critical...

--- On Thu, 7/23/09, Stephen Burge <steve at joomlatraining.com> wrote:

> From: Stephen Burge <steve at joomlatraining.com>
> Subject: Re: [joomla] New Joomla release 1.5.13: Joomla! Security News
> To: NYPHP at lists.nyphp.org, SIG at lists.nyphp.org
> Date: Thursday, July 23, 2009, 10:56 AM
> I believe there's a couple of bugs
> with the 1.5.13 release:
> http://forum.joomla.org/viewtopic.php?f=430&t=423159
> 
> Might be good to hold off for 24 / 48 hours before
> updating. The Bug 
> Squad is apparently busy getting the fixes ready.
> 
> Steve
> 
> 
> 
> Mitch Pirtle wrote:
> > Thanks Donna, I missed this totally in my avalanche of
> work and deadlines.
> >
> > -- Mitch
> >
> > On Thu, Jul 23, 2009 at 8:38 AM, Donna Marie
> > Vincent<donnamarievincent at yahoo.com>
> wrote:
> >   
> >> Joomla! Security News
> >>
> >> ________________________________
> >>
> >> [20090722] - Core - Missing JEXEC Check
> >>
> >> Posted: 22 Jul 2009 04:36 PM PDT
> >>
> >> Project: Joomla!
> >> SubProject: Framework
> >> Severity: Moderate
> >> Versions: 1.5.12 and all previous 1.5 releases
> >> Exploit type: XSS
> >> Reported Date: 2009-July-21
> >> Fixed Date: 2009-July-22
> >>
> >> Description
> >>
> >> Some files were missing the check for JEXEC. 
> These scripts will then expose
> >> internal path information of the host.
> >>
> >> Affected Installs
> >>
> >> All 1.5.x installs prior to and including 1.5.12
> are affected.
> >>
> >> Solution
> >>
> >> Upgrade to latest Joomla! version (1.5.13 or
> newer).
> >>
> >> Reported by Juan Galiana Lara (Internet Security
> Auditors)
> >>
> >> Contact
> >>
> >> The JSST at the Joomla! Security Center.
> >>
> >> [20090722] - Core - File Upload
> >>
> >> Posted: 22 Jul 2009 04:17 PM PDT
> >>
> >> Project: Joomla!
> >> SubProject: TinyMCE editor
> >> Severity: Critical
> >> Versions: 1.5.12
> >> Exploit type: Image File upload
> >> Reported Date: 2009-July-22
> >> Fixed Date: 2009-July-22
> >>
> >> Description
> >>
> >> Tiny browser included with TinyMCE 3.0 editor
> allowed files to be uploaded
> >> and removed without logging in.
> >>
> >> Affected Installs
> >>
> >> Version 1.5.12 only
> >>
> >> Solution
> >>
> >> Upgrade to latest Joomla! version (1.5.13 or
> newer).
> >>
> >> Reported by Patrice Lazareff.
> >>
> >> Contact
> >>
> >> The JSST at the Joomla! Security Center.
> >>
> >> You are subscribed to email updates from Joomla!
> Developer - Vulnerability
> >> News
> >> To stop receiving these emails, you may
> unsubscribe now.Email delivery
> >> powered by Google
> >> Google Inc., 20 West Kinzie, Chicago IL USA 60610
> >> _______________________________________________
> >> New York PHP SIG: Joomla! Mailing List
> >> http://lists.nyphp.org/mailman/listinfo/joomla
> >>
> >> NYPHPCon 2006 Presentations Online
> >> http://www.nyphpcon.com
> >>
> >> Show Your Participation in New York PHP
> >> http://www.nyphp.org/show_participation.php
> >>
> >>     
> > _______________________________________________
> > New York PHP SIG: Joomla! Mailing List
> > http://lists.nyphp.org/mailman/listinfo/joomla
> >
> > NYPHPCon 2006 Presentations Online
> > http://www.nyphpcon.com
> >
> > Show Your Participation in New York PHP
> > http://www.nyphp.org/show_participation.php
> 
> _______________________________________________
> New York PHP SIG: Joomla! Mailing List
> http://lists.nyphp.org/mailman/listinfo/joomla
> 
> NYPHPCon 2006 Presentations Online
> http://www.nyphpcon.com
> 
> Show Your Participation in New York PHP
> http://www.nyphp.org/show_participation.php
>

More information about the Joomla mailing list