Джумла! България - Приложения - Промени във версия 1.0.11

приложения

Изтеглeте Joomla!

Вход

Кой е онлайн

В момента 1 гост онлайн

Начало

1.0.х Промени

Промени във версия 1.0.11

Промени във версия 1.0.11

This Release Contains the following 26 Security Fixes

Joomla! utilizes the Open Web Application Security Project (OWASP) Top Ten Project to categorize security vunerabilities found within Joomla!
http://www.owasp.org/index.php/OWASP_Top_Ten_Project

--- - - - - - - - - ---

04 HIGH Level Threats fixed

A1 Unvalidated Input
* Secured mosMail() against unvalidated input
* Secured JosIsValidEmail() - in previous versions the existance of an email address somewhere in the string was sufficient

A6 Injection Flaws
* Fixed remote execution issue in PEAR.php
* Fixed Zend Hash Del Key Or Index Vulnerability

--- - - - - - - - - ---

04 MEDIUM Level Threats fixed

A1 Unvalidated Input
* globals.php not included in administrator/index.php

A2 Broken Access Control
* Added Missing defined( '_VALID_MOS' ) checks
* Limit Admin `Upload Image` from uploading below `/images/stories/` directory
* Fixed do_pdf command bypassing the user authentication

--- - - - - - - - - ---

18 LOW Level Threats fixed

A1 Unvalidated Input
* Hardened Admin `User Manager`
* Hardened poll module
* Fixed josSpoofValue function to ensure the hash is a string

A2 Broken Access Control
* Secured com_content to not allow the tasks 'emailform' and 'emailsend' if $mosConfig_hideEmail is set
* Fixed emailform com_content task bypassing the user authentication
* Limit access to Admin `Popups` functionality

A4 Cross Site Scripting
* Fixed XSS injection issue in Admin `Module Manager`
* Fixed XSS injection issue in Admin `Help`
* Fixed XSS injection issue in Search

A6 Injection Flaws
* Harden loading of globals.php by using require() instead of include_once();
* Block potential misuse of $option variable
* Block against injection issue in Admin `Upload Image`
* Secured against possible injection attacks on ->load()
* Secured against injection attack on content submissions where frontpage is selected
* Secured against possible injection attack thru mosPageNav constructor
* Secured against possible injection attack thru saveOrder functions
* Add exploit blocking rules to htaccess
* Harden ACL from possible injection attacks

-- -- -- -- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- --

28-Aug-2006 Rey Gigataras
# SECURITY A6 [ LOW Level ]: Block potential misuse of $option variable

28-Aug-2006 Andrew Eddie
# SECURITY A6 [ LOW Level ]: Harden ACL from possible injection attacks

24-Aug-2006 Rey Gigataras
# SECURITY A6 [ LOW Level ]: Add exploit blocking rules to htaccess
# SECURITY A6 [ LOW Level ]: Harden loading of globals.php by using require() instead of include_once();

+ Installation Security Warning check
+ Admin & Installation Version age warning

23-Aug-2006 Rey Gigataras
# SECURITY A2 [ MEDIUM Level ]: Missing defined( '_VALID_MOS' ) checks

+ Admin Security Warning check

21-Aug-2006 Rey Gigataras
# SECURITY A1 [ LOW Level ]: Hardened Admin `User Manager`

19-Aug-2006 Rey Gigataras
# SECURITY A2 [ MEDIUM Level ]: Limit Admin `Upload Image` from uploading below `/images/stories/` directory
# SECURITY A2 [ LOW Level ]: Limit access to Admin `Popups` functionality
# SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Admin `Module Manager`
# SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Admin `Help`
# SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Search
# SECURITY A6 [ LOW Level ]: [topic,73761] : Block against injection issue in Admin `Upload Image`

19-Aug-2006 Enno Klasing
# SECURITY A1 [ HIGH Level ]: Secured mosMail() against unvalidated input
# SECURITY A1 [ HIGH Level ]: Secured JosIsValidEmail() - in previous versions the existance of an email address somewhere in the string was sufficient
# SECURITY A2 [ LOW Level ]: Secured com_content to not allow the tasks 'emailform' and 'emailsend' if $mosConfig_hideEmail is set

# Fixed : Empty subject in com_content mail2friend no longer possible
# Fixed : Show error message if com_content mail2friend fails
# Fixed : Show error message if com_contact mail fails
^ Moved all instances of is_email() amalgamated into JosIsValidEmail in /includes/joomla.php

18-Aug-2006 Rey Gigataras
# SECURITY A1 [ MEDIUM Level ]: globals.php not included in administrator/index.php
# SECURITY A2 [ MEDIUM Level ]: do_pdf command bypasses the user authentication
# SECURITY A2 [ LOW Level ]: emailform com_content task bypasses the user authentication
# SECURITY A1 [ LOW Level ]: harden poll module

# Fixed [topic,72209] : Mambots fired on Modules
+ enable selective disabling of `Email Cloaking` bot via {emailcloak=off}

17-Aug-2006 Rey Gigataras
+ PERFORMANCE : Cache handling expanded to com_content showItem
# Fixed [artf5266] : Blog-view shows "more..." even without intros
# Fixed [topic,81673] : frontend.php itemid issue

17-Aug-2006 Mateusz Krzeszowiec
# Fixed logging query before applying LIMIT

15-Aug-2006 Marko Schmuck
# SECURITY A6 [ LOW Level ]: possible injection attacks on ->load()

15-Aug-2006 Andrew Eddie
# SECURITY A6 [ HIGH Level ]: remote execution issue in PEAR.php

15-Aug-2006 Mateusz Krzeszowiec
# PERFORMANCE [topic,83325] : SQL LIMIT in com_content frontend

14-Aug-2006 Andrew Eddie
# SECURITY A6 [ LOW Level ]: Injection attack on content submissions where frontpage is selected
# SECURITY A6 [ LOW Level ]: possible injection attack thru mosPageNav constructor
# SECURITY A6 [ LOW Level ]: possible injection attack thru saveOrder functions

07-Aug-2006 Andrew Eddie
# SECURITY A6 [ HIGH Level ]: Zend Hash Del Key Or Index Vulnerability
# SECURITY A1 [ LOW Level ]: josSpoofValue function to ensure the hash is a string

28-July-2006 Robin Muilwijk
# Fixed [artf5291] : missing onChange javascript code for filter field

27-July-2006 Robin Muilwijk
# SECURITY A2 [ MEDIUM Level ]: [artf5335] : missing direct access line

# Fixed [artf5282] : missing table row tag and self closing tag
# Fixed [artf5297] : small html errors

17-July-2006 Robin Muilwijk
# Fixed [artf5157] : typo in media manager
# Fixed [artf5218] : duplicate entry of artf5157, typo in media manager

03-July-2006 Rey Gigataras
# Fixed [artf5181] : 5 step for unrecoverable admin-page crash.
# Fixed [artf5123] : Wrong name of function in joomla.cache.php
# Fixed [artf5126] : includes/database.php uses deprecated function
# Fixed [artf5171] : mosGetParam Default value issue
# Fixed [artf5112] : A mere mistake in the file contact.html.php