Joomla Views

You!Joomla Templates
foobla.com Xmas special
Advertise here
Home Miscellaneous News High security vulnerability in Joomla 1.5.7

High security vulnerability in Joomla 1.5.7

Friday, 24 October 2008 09:56 Tony Lindskog News - Miscellaneous News
JoomlaTools announced on October 20th that there was a high level security vulnerability in Joomla 1.5.7.
 

Joomla Security Controversy

Matthias Verraes of JoomlaTools announced during his presentation at Joomla Security Bootcamp that he had discovered a serious vulnerability in Joomla 1.5.2 through 1.5.7 that allows an attacker to inject malicious javascript into a joomla site.

Joomlatools reported this issue to the Joomla Security Strike Team on October 4 (nearly 3 weeks ago from when this article was written) and so far there is no official patch available to plug this security issue.

Apparently the issue was reported to the Joomla bug tracker but was removed without an explanation so the team at Joomlatools has released  their own patch and made it available to anyone that wishes to use it.

There is always a risk in applying unofficial patches, but in the interest of the Joomla community, we have decided to share this information and allow our readers to make their own decision; they also offer a non-patch alternative on how to solve this security issue.

The patch and more information can be found here Joomlatools 1.5.7 patch.

 This announcement has also stirred up a hornets nest and was made controversial by Anthony Ferrara writing a rather antagonistic article in response to the Joomlatools announcement and patch; this article was called "An irresponsible Post by a third party developer".

Anothony's point of view is that this vulnerability requires the access to an account with a higher than normal clearance (author or higher) and this warranted the not critical classification and that an appropriate fix will be included in the upcomming 1.5.8 when it is released.

Regarding the removal of the report from the 1.5 bug tracker, this was done to take potential security issues out of the publics  view out of security stance.

Further more he states that the above mentioned patch should not be installed and to just wait for the 1.5.8 release which is reported not to be that far away.

Reading the comments to Anthony's post it would appear that the general concensus is that his post was way too harsh and although his points may be valid: I personally think he took it a little bit too far too.

 Anthony's public response can be found here: An Irresponsible post by a third party developer.

Comments (0)

Write comment

feedShow/Hide comment form

busy
Related Articles/Posts
 
You!Joomla Templates

Mini Ad spots

We Recommend

You!Joomla Templates
You!Joomla Templates
Youjoomla.com is a Joomla Templates , Wordpress Themes and CSS Templates Club specializing in development of wonderful websites for all web platforms. Show me >>
MaQma Helpdesk
MaQma Helpdesk Component
MaQma Helpdesk is an advanced helpdesk system using the Joomla CMS as its backbone offering a flexible and efficient Customer Support Solution.
Tell me more >>
Advertise here

Login Form



12.03.2010

Current Visitors

We have 151 guests online

Latest Articles

Top views