|
Jan 06
2009
|
 |
NinjaForge reports a potential security issue with ALL Joomla 1.5x up to and including 1.5.8; luckily they also report a fix for this security leak.
Apparently there is an issue with attachmentlibrary.php which will allow a folder parameter to be passed to it and have it register as a web server environment variable and this variable is not correctly sanitized.
This script is linked to the xstandard editor plugin, and it affects any and all editors. even third party WYSIWYG editors.
I do not know how serious this issue is and if you might be better off waiting for Joomla! to release 1.5.9.
For more information go to NinjaForge's Directory Travel security fix.
UPDATE:
Joomla releases version 1.5.9 which supersedes the above fix - For more information go here.
