Joomla 1.0.11 Security Update
Geschrieben von Grishan - 29.08.2006
Security first, please! Nachdem Joomla in den letzten Wochen, durch neue bekannt gewordene Sicherheitslücken, für diverse Hackerangriffe anfällig geworden ist, wurde vom Entwicklerteam umgehend die aktualisierte
Version 1.0.11 veröffentlicht. Da auch alle vorhergehenden Joomla Versionen
davon betroffen sind, ist die Installation bzw. das Einspielen des Updates der bereinigten Version ein notwendiger
Pflichtakt für alle Joomlaanwender!
Informationen zum Joomla Security Update 1.0.11
Mit dem Joomla Release 1.0.11 wurden insgesamt 26 Sicherheitsprobleme beseitigt. Davon wurden 4 als "High Level Security Fixes" eingestuft, welche auch die vorherigen Versionen betreffen.
Um den gewachsenen Sicherheitsanforderungen Rechnung zu tragen, sind einige Änderungen in das aktuelle Release
eingeflossen. Im Adminbackend wird nun überprüft ob die sicherheitsrelevanten Einstellungen der
verwendeten PHP Version zutreffend sind oder nicht. Das Ergebnis wird angezeigt und gegebenenfalls mit einer Warnung
versehen.
Auch die Möglichkeit zur Überprüfung auf neue Joomla Updates wurde nun in das Adminbackend integriert.
Weiterhin wurde die .htaccess Datei mit weiteren Regeln so angepasst,
dass viele bekannte Exploits und Hackversuche nicht mehr greifen.
Empfohlene PHP Einstellungen
Diese zwei PHP Einstellungen sind hierbei besonders sicherheitsrelevant:
- 1. Register Globals = `OFF`
- 2. Magic Quotes = `ON`
Die Einstellung dieser PHP Konfigurationsparameter kann im Adminbackend unter System -> System Info
überprüft werden.
Weitergehende Informationen dazu sind auf der Seite von joomla.org unter dem Artikelabschnitt
Upgrade immediately to Joomla! 1.0.11 zu finden.
Weitere Details zu den Bugfixes und Änderungen sind wie immer dem angehängten Changelog zu entnehmen.
Download und Updates der Joomla Version 1.0.11
Download Übersicht des CMS Projektes auf Forge Joomla :
Joomla 1.0.11 Filebase
Joomla 1.0.11 komplett / Stand 28.08.2006 :
Joomla 1.0.11 komplett Download
Update Patch von Joomla 1.0.10 auf Joomla 1.0.11 :
Joomla Update von 1.0.10 auf 1.0.11
Changelog 1.0.11
1.0.11 Stable Released -- [28-August-2006 20:00 UTC]
This Release Contains the following 26 Security Fixes
Joomla! utilizes the Open Web Application Security Project (OWASP) Top Ten Project
to categorize security vunerabilities found within Joomla!
http://www.owasp.org/index.php/OWASP_Top_Ten_Project
--- - - - - - - - - ---
04 HIGH Level Threats fixed
A1 Unvalidated Input
* Secured mosMail() against unvalidated input
* Secured JosIsValidEmail() - in previous versions the existance of an email address somewhere in the string was sufficient
A6 Injection Flaws
* Fixed remote execution issue in PEAR.php
* Fixed Zend Hash Del Key Or Index Vulnerability
--- - - - - - - - - ---
04 MEDIUM Level Threats fixed
A1 Unvalidated Input
* globals.php not included in administrator/index.php
A2 Broken Access Control
* Added Missing defined( '_VALID_MOS' ) checks
* Limit Admin `Upload Image` from uploading below `/images/stories/` directory
* Fixed do_pdf command bypassing the user authentication
--- - - - - - - - - ---
18 LOW Level Threats fixed
A1 Unvalidated Input
* Hardened Admin `User Manager`
* Hardened poll module
* Fixed josSpoofValue function to ensure the hash is a string
A2 Broken Access Control
* Secured com_content to not allow the tasks 'emailform' and 'emailsend' if $mosConfig_hideEmail is set
* Fixed emailform com_content task bypassing the user authentication
* Limit access to Admin `Popups` functionality
A4 Cross Site Scripting
* Fixed XSS injection issue in Admin `Module Manager`
* Fixed XSS injection issue in Admin `Help`
* Fixed XSS injection issue in Search
A6 Injection Flaws
* Harden loading of globals.php by using require() instead of include_once();
* Block potential misuse of $option variable
* Block against injection issue in Admin `Upload Image`
* Secured against possible injection attacks on ->load()
* Secured against injection attack on content submissions where frontpage is selected
* Secured against possible injection attack thru mosPageNav constructor
* Secured against possible injection attack thru saveOrder functions
* Add exploit blocking rules to htaccess
* Harden ACL from possible injection attacks
-- -- -- -- -- ---- -- ---
28-Aug-2006 Rey Gigataras
# SECURITY A6 [ LOW Level ]: Block potential misuse of $option variable
28-Aug-2006 Andrew Eddie
# SECURITY A6 [ LOW Level ]: Harden ACL from possible injection attacks
24-Aug-2006 Rey Gigataras
# SECURITY A6 [ LOW Level ]: Add exploit blocking rules to htaccess
# SECURITY A6 [ LOW Level ]: Harden loading of globals.php by using require() instead of include_once();
+ Installation Security Warning check
+ Admin & Installation Version age warning
23-Aug-2006 Rey Gigataras
# SECURITY A2 [ MEDIUM Level ]: Missing defined( '_VALID_MOS' ) checks
+ Admin Security Warning check
21-Aug-2006 Rey Gigataras
# SECURITY A1 [ LOW Level ]: Hardened Admin `User Manager`
19-Aug-2006 Rey Gigataras
# SECURITY A2 [ MEDIUM Level ]: Limit Admin `Upload Image` from uploading below `/images/stories/` directory
# SECURITY A2 [ LOW Level ]: Limit access to Admin `Popups` functionality
# SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Admin `Module Manager`
# SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Admin `Help`
# SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Search
# SECURITY A6 [ LOW Level ]: [topic,73761] : Block against injection issue in Admin `Upload Image`
19-Aug-2006 Enno Klasing
# SECURITY A1 [ HIGH Level ]: Secured mosMail() against unvalidated input
# SECURITY A1 [ HIGH Level ]: Secured JosIsValidEmail() - in previous versions the existance of an email address somewhere in the string was sufficient
# SECURITY A2 [ LOW Level ]: Secured com_content to not allow the tasks 'emailform' and 'emailsend' if $mosConfig_hideEmail is set
# Fixed : Empty subject in com_content mail2friend no longer possible
# Fixed : Show error message if com_content mail2friend fails
# Fixed : Show error message if com_contact mail fails
^ Moved all instances of is_email() amalgamated into JosIsValidEmail in /includes/joomla.php
18-Aug-2006 Rey Gigataras
# SECURITY A1 [ MEDIUM Level ]: globals.php not included in administrator/index.php
# SECURITY A2 [ MEDIUM Level ]: do_pdf command bypasses the user authentication
# SECURITY A2 [ LOW Level ]: emailform com_content task bypasses the user authentication
# SECURITY A1 [ LOW Level ]: harden poll module
# Fixed [topic,72209] : Mambots fired on Modules
+ enable selective disabling of `Email Cloaking` bot via {emailcloak=off}
17-Aug-2006 Rey Gigataras
+ PERFORMANCE : Cache handling expanded to com_content showItem
# Fixed [artf5266] : Blog-view shows "more..." even without intros
# Fixed [topic,81673] : frontend.php itemid issue
17-Aug-2006 Mateusz Krzeszowiec
# Fixed logging query before applying LIMIT
15-Aug-2006 Marko Schmuck
# SECURITY A6 [ LOW Level ]: possible injection attacks on ->load()
15-Aug-2006 Andrew Eddie
# SECURITY A6 [ HIGH Level ]: remote execution issue in PEAR.php
15-Aug-2006 Mateusz Krzeszowiec
# PERFORMANCE [topic,83325] : SQL LIMIT in com_content frontend
14-Aug-2006 Andrew Eddie
# SECURITY A6 [ LOW Level ]: Injection attack on content submissions where frontpage is selected
# SECURITY A6 [ LOW Level ]: possible injection attack thru mosPageNav constructor
# SECURITY A6 [ LOW Level ]: possible injection attack thru saveOrder functions
07-Aug-2006 Andrew Eddie
# SECURITY A6 [ HIGH Level ]: Zend Hash Del Key Or Index Vulnerability
# SECURITY A1 [ LOW Level ]: josSpoofValue function to ensure the hash is a string
28-July-2006 Robin Muilwijk
# Fixed [artf5291] : missing onChange javascript code for filter field
27-July-2006 Robin Muilwijk
# SECURITY A2 [ MEDIUM Level ]: [artf5335] : missing direct access line
# Fixed [artf5282] : missing table row tag and self closing tag
# Fixed [artf5297] : small html errors
17-July-2006 Robin Muilwijk
# Fixed [artf5157] : typo in media manager
# Fixed [artf5218] : duplicate entry of artf5157, typo in media manager
03-July-2006 Rey Gigataras
# Fixed [artf5181] : 5 step for unrecoverable admin-page crash.
# Fixed [artf5123] : Wrong name of function in joomla.cache.php
# Fixed [artf5126] : includes/database.php uses deprecated function
# Fixed [artf5171] : mosGetParam Default value issue
# Fixed [artf5112] : A mere mistake in the file contact.html.php
