Mambo CMS / Joomla CMS - Weblog Menüpunkt: Joomla CMS

Joomla 1.0.11 Security Update

Icon Artikel Ersteller Geschrieben von Grishan - 29.08.2006

Icon Joomla Security Security first, please! Nachdem Joomla in den letzten Wochen, durch neue bekannt gewordene Sicherheitslücken, für diverse Hackerangriffe anfällig geworden ist, wurde vom Entwicklerteam umgehend die aktualisierte Version 1.0.11 veröffentlicht. Da auch alle vorhergehenden Joomla Versionen davon betroffen sind, ist die Installation bzw. das Einspielen des Updates der bereinigten Version ein notwendiger Pflichtakt für alle Joomlaanwender!

 

 

Informationen zum Joomla Security Update 1.0.11

Mit dem Joomla Release 1.0.11 wurden insgesamt 26 Sicherheitsprobleme beseitigt. Davon wurden 4 als "High Level Security Fixes" eingestuft, welche auch die vorherigen Versionen betreffen.

Um den gewachsenen Sicherheitsanforderungen Rechnung zu tragen, sind einige Änderungen in das aktuelle Release eingeflossen. Im Adminbackend wird nun überprüft ob die sicherheitsrelevanten Einstellungen der verwendeten PHP Version zutreffend sind oder nicht. Das Ergebnis wird angezeigt und gegebenenfalls mit einer Warnung versehen.
Auch die Möglichkeit zur Überprüfung auf neue Joomla Updates wurde nun in das Adminbackend integriert. Weiterhin wurde die .htaccess Datei mit weiteren Regeln so angepasst, dass viele bekannte Exploits und Hackversuche nicht mehr greifen.

 

Empfohlene PHP Einstellungen

Diese zwei PHP Einstellungen sind hierbei besonders sicherheitsrelevant:

  • 1. Register Globals = `OFF`
  • 2. Magic Quotes = `ON`

Die Einstellung dieser PHP Konfigurationsparameter kann im Adminbackend unter System -> System Info überprüft werden.
Weitergehende Informationen dazu sind auf der Seite von joomla.org unter dem Artikelabschnitt Upgrade immediately to Joomla! 1.0.11 zu finden.

Weitere Details zu den Bugfixes und Änderungen sind wie immer dem angehängten Changelog zu entnehmen.

 

Download und Updates der Joomla Version 1.0.11

Download Übersicht des CMS Projektes auf Forge Joomla :
Joomla 1.0.11 Filebase

Joomla 1.0.11 komplett / Stand 28.08.2006 :
Joomla 1.0.11 komplett Download

Update Patch von Joomla 1.0.10 auf Joomla 1.0.11 :
Joomla Update von 1.0.10 auf 1.0.11

 

Changelog 1.0.11

1.0.11 Stable Released -- [28-August-2006 20:00 UTC]

This Release Contains the following 26 Security Fixes

Joomla! utilizes the Open Web Application Security Project (OWASP) Top Ten Project
to categorize security vunerabilities found within Joomla!
http://www.owasp.org/index.php/OWASP_Top_Ten_Project

--- - - - - - - - - ---

04 HIGH Level Threats fixed

A1 Unvalidated Input
* Secured mosMail() against unvalidated input
* Secured JosIsValidEmail() - in previous versions the existance of an email address somewhere in the string was sufficient

A6 Injection Flaws
* Fixed remote execution issue in PEAR.php
* Fixed Zend Hash Del Key Or Index Vulnerability

--- - - - - - - - - ---

04 MEDIUM Level Threats fixed

A1 Unvalidated Input
* globals.php not included in administrator/index.php

A2 Broken Access Control
* Added Missing defined( '_VALID_MOS' ) checks
* Limit Admin `Upload Image` from uploading below `/images/stories/` directory
* Fixed do_pdf command bypassing the user authentication

--- - - - - - - - - ---

18 LOW Level Threats fixed

A1 Unvalidated Input
* Hardened Admin `User Manager`
* Hardened poll module
* Fixed josSpoofValue function to ensure the hash is a string

A2 Broken Access Control
* Secured com_content to not allow the tasks 'emailform' and 'emailsend' if $mosConfig_hideEmail is set
* Fixed emailform com_content task bypassing the user authentication
* Limit access to Admin `Popups` functionality

A4 Cross Site Scripting
* Fixed XSS injection issue in Admin `Module Manager`
* Fixed XSS injection issue in Admin `Help`
* Fixed XSS injection issue in Search

A6 Injection Flaws
* Harden loading of globals.php by using require() instead of include_once();
* Block potential misuse of $option variable
* Block against injection issue in Admin `Upload Image`
* Secured against possible injection attacks on ->load()
* Secured against injection attack on content submissions where frontpage is selected
* Secured against possible injection attack thru mosPageNav constructor
* Secured against possible injection attack thru saveOrder functions
* Add exploit blocking rules to htaccess
* Harden ACL from possible injection attacks
-- -- -- -- -- ---- -- ---

28-Aug-2006 Rey Gigataras
# SECURITY A6 [ LOW Level ]: Block potential misuse of $option variable

28-Aug-2006 Andrew Eddie
# SECURITY A6 [ LOW Level ]: Harden ACL from possible injection attacks

24-Aug-2006 Rey Gigataras
# SECURITY A6 [ LOW Level ]: Add exploit blocking rules to htaccess
# SECURITY A6 [ LOW Level ]: Harden loading of globals.php by using require() instead of include_once();

+ Installation Security Warning check
+ Admin & Installation Version age warning

23-Aug-2006 Rey Gigataras
# SECURITY A2 [ MEDIUM Level ]: Missing defined( '_VALID_MOS' ) checks

+ Admin Security Warning check

21-Aug-2006 Rey Gigataras
# SECURITY A1 [ LOW Level ]: Hardened Admin `User Manager`

19-Aug-2006 Rey Gigataras
# SECURITY A2 [ MEDIUM Level ]: Limit Admin `Upload Image` from uploading below `/images/stories/` directory
# SECURITY A2 [ LOW Level ]: Limit access to Admin `Popups` functionality
# SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Admin `Module Manager`
# SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Admin `Help`
# SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Search
# SECURITY A6 [ LOW Level ]: [topic,73761] : Block against injection issue in Admin `Upload Image`

19-Aug-2006 Enno Klasing
# SECURITY A1 [ HIGH Level ]: Secured mosMail() against unvalidated input
# SECURITY A1 [ HIGH Level ]: Secured JosIsValidEmail() - in previous versions the existance of an email address somewhere in the string was sufficient
# SECURITY A2 [ LOW Level ]: Secured com_content to not allow the tasks 'emailform' and 'emailsend' if $mosConfig_hideEmail is set

# Fixed : Empty subject in com_content mail2friend no longer possible
# Fixed : Show error message if com_content mail2friend fails
# Fixed : Show error message if com_contact mail fails
^ Moved all instances of is_email() amalgamated into JosIsValidEmail in /includes/joomla.php

18-Aug-2006 Rey Gigataras
# SECURITY A1 [ MEDIUM Level ]: globals.php not included in administrator/index.php
# SECURITY A2 [ MEDIUM Level ]: do_pdf command bypasses the user authentication
# SECURITY A2 [ LOW Level ]: emailform com_content task bypasses the user authentication
# SECURITY A1 [ LOW Level ]: harden poll module

# Fixed [topic,72209] : Mambots fired on Modules
+ enable selective disabling of `Email Cloaking` bot via {emailcloak=off}

17-Aug-2006 Rey Gigataras
+ PERFORMANCE : Cache handling expanded to com_content showItem
# Fixed [artf5266] : Blog-view shows "more..." even without intros
# Fixed [topic,81673] : frontend.php itemid issue

17-Aug-2006 Mateusz Krzeszowiec
# Fixed logging query before applying LIMIT

15-Aug-2006 Marko Schmuck
# SECURITY A6 [ LOW Level ]: possible injection attacks on ->load()

15-Aug-2006 Andrew Eddie
# SECURITY A6 [ HIGH Level ]: remote execution issue in PEAR.php

15-Aug-2006 Mateusz Krzeszowiec
# PERFORMANCE [topic,83325] : SQL LIMIT in com_content frontend

14-Aug-2006 Andrew Eddie
# SECURITY A6 [ LOW Level ]: Injection attack on content submissions where frontpage is selected
# SECURITY A6 [ LOW Level ]: possible injection attack thru mosPageNav constructor
# SECURITY A6 [ LOW Level ]: possible injection attack thru saveOrder functions

07-Aug-2006 Andrew Eddie
# SECURITY A6 [ HIGH Level ]: Zend Hash Del Key Or Index Vulnerability
# SECURITY A1 [ LOW Level ]: josSpoofValue function to ensure the hash is a string

28-July-2006 Robin Muilwijk
# Fixed [artf5291] : missing onChange javascript code for filter field

27-July-2006 Robin Muilwijk
# SECURITY A2 [ MEDIUM Level ]: [artf5335] : missing direct access line

# Fixed [artf5282] : missing table row tag and self closing tag
# Fixed [artf5297] : small html errors

17-July-2006 Robin Muilwijk
# Fixed [artf5157] : typo in media manager
# Fixed [artf5218] : duplicate entry of artf5157, typo in media manager

03-July-2006 Rey Gigataras
# Fixed [artf5181] : 5 step for unrecoverable admin-page crash.
# Fixed [artf5123] : Wrong name of function in joomla.cache.php
# Fixed [artf5126] : includes/database.php uses deprecated function
# Fixed [artf5171] : mosGetParam Default value issue
# Fixed [artf5112] : A mere mistake in the file contact.html.php

 

Kommentare

Kommentar schreiben:

 

Hinweis zur Spam Protection:
HTML Tags in Kommentaren werden nicht ausgewertet und nicht angezeigt.
Die Kommentare werden vor der Veröffentlichung besichtigt und dann freigeschaltet.


Micro Network

Wordpress CMS Showcase

Web Standards

XML Schema Validator

1118458