Software-update: Joomla! 1.0.8

Joomla! is een dynamisch systeem geschreven in PHP waarmee de gebruiker content kan beheren, organiseren en uitgeven. Het bevat veel features die terug te vinden zijn in content management systemen, blogs, coöperatiesites en forums. Joomla! is een afsplitsing van Mambo, ook een PHP-gebaseerd content management systeem. De ontwikkelaars hebben onlangs versie 1.0.8 naar buiten gebracht met de volgende lijst van aanpassingen:

Security Fixes:

Medium Level Threat:

• Hardening of Remember Me login functionality
• Protect against real server path disclosure via syndication component
• Limit arbitrary file creation via syndication component
• Protect against real server path disclosure in mod_templatechooser
• Disallow `Weblink` item from being accessible when 'unpublished'
• Disallow `Polls` item from being accessible when 'unpublished'
• Disallow `Newfeeds` item from being accessible when category 'unpublished'
• Disallow `Weblinks` item from being accessible when category 'unpublished'
• Disallow `Content` item from being accessible despite section/category 'access level'
• Disallow `Newsfeed` item from being accessible despite category 'access level'
• Disallow `Weblink` item from being accessible despite category 'access level'
• Disallow `Content` item from being visible despite category 'access level' in `Content Section` view - `Blog - Content Section` & `Blog - Content Section Archive`
• Disallow `Content` items from being viewable when category/section 'unpublished' - mod_newsflash

Low Level Threat:

• Harden frontend Session ID
• Harden against multiple Admin SQL Injection Vulnerabilities
• Disable ability to enter more than one email address in Contact Component contact form
• Harden Contact Component with param option to check for existance of session cookie - enabled by default
• Additional check for correct Admin session name
• Disallow access to syndication functionality
• Disallow `Newsfeeds` Categories from being accessible when 'unpublished'
• Disallow `Contact` Categories from being accessible when 'unpublished'
• Disallow `Weblink` Categories from being accessible when 'unpublished'
• Disallow `Content Section` from being accessible when section 'unpublished' - `List - Content Section`
• Disallow `Content Category` from being accessible when category/section 'unpublished' - `Table - Content Category`
• Disallow `Contact` Categories from being accessible as per category 'access level'
• Disallow `Newsfeeds` Categories from being accessible as per category 'access level'
• Disallow `Weblinks` Categories from being accessible as per category 'access level'
• Disallow `Content Section` from being accessible as per section 'access level' - `List - Content Section`
• Disallow `Content Category` from being accessible as per section/category 'access level' - `Table - Content Category`
• Disallow `Content Category` from being accessible as per category 'access level' - `Blog - Content Category` & `Blog - Content Category Archive`
• Disallow `Content` item links from being visible as per category/section 'access level' - mod_newsflash, mod_latestnews, mod_mostread
• Disallow Category Search returning items despite section 'access level' & section 'state'
• Disallow Contact Search returning items despite 'access level' & category 'state'
• Disallow Content Search returning items despite section 'access level'
• Disallow Newsfeed Search returnings items despite category 'state'
• Disallow Weblink Search returning items despite category 'state'

Changes since 1.0.7:

• Fixed: Conversion of & to & when editing 'new' modules, breaking xhtml compliance
• Fixed: Itemid=99999999 visible when navigating polls
• Fixed artf3630: Site name printed twice in the popup window title (print, email to friend)
• Upgraded to TinyMCE 2.0.4
• Depreciated Admin templates - mambo_admin & mambo_admin_blue
• Fixed HTTP_ACCEPT_ENCODING problems
• Fixed incorrect handling of external links with mossef
• Special Flag to allow different login behaviour of site for Production vs online Demo site
• Fixed: typo in menu manager
• Global Config session life only controls purging of frontend logged in sessions
• Guests session separately purged at a hardcoded 900 seconds
• Fixed artf3591: Error if unpublish menu item
• Fixed: SEF handling of custom .htaccess reconfigured urls
• Fixed: mod_login return value incorrectly returning 'index.php?' if coming from site homepage
• Frontend Session Tracking cookie uses `Expire at End of Session`, rather than expiry by a set time to resolve issues with incorrect system clocks
• Fixed: Incorrect favicon path in installer
• Fixed: Admin logout does not clear/delete session being logged out
• Remember Me Cookie amalgamated into a single cookie.
• Fixed: error in TinyMCE 2.0.3 (toggle fullscreen mode)
• Fixed filelist param - would always show list entries related to images for default and do not use
• Fixed: time check incorrectly being based on local time - rather than server time
• Fixed: utf-8 encoded newsfeeds in a ISO-8559-1 site
• Fixed: Newsfeeds do not display
• PERFORMANCE: General query reduction work
• PERFORMANCE: Reduce queries used by search bots to load params
• PERFORMANCE: 'editor-xtd' bot group loaded only once - affect = reduction in queries
• Refactored session handling code for Admin sessions
• session.gc_maxlifetime setting for Admin Sessions
• Fixed artf3543: Rev 2393 Language Manager Error
• Fixed: Wrapper Autoheight ability set to off by default, as causes javascript errors when used on sites not on your domain
• Fixed: MySQL 5 support in strict mode
• Fixed artf3605: Spelling error when saving content
• Fixed artf3576: Javascript conflict in mod_wrapper
• PERFORMANCE: `dynamic` Itemid checks store previous query results - affect = reduction in queries
• PERFORMANCE: `static` Itemid counters now loads only once - affect = reduction in queries
• PERFORMANCE: 'content' bot group loaded only once instead of each time content is loaded - affect = reduction in queries
• PERFORMANCE: individual 'content' bot query to pull params loaded only once instead of each time content is loaded - affect = reduction in queries
• new Admin Session Life Global Config param, allowing setting of admin session idle logout time
• query debug mode to backend
• Fixed artf3523: mosemailcloak issue with mailto params
• Fixed: disable mossef bot from working on mailto links
• Fixed: SEF deactivated relative & absolute url handling
• Fixed: Session username not correct for those coming from `Remember Me` cookie
• PERFORMANCE: Simple check for all bots to determine whether they should process further
• PERFORMANCE: Reduce queries used by bots to load params - mosemailcloak, mosimage, mosloadposition, mospaging - affect = reduction in queries
• PERFORMANCE: 'editor-xtd' bot group loaded only when needed - affect = reduction in queries
• Fixed artf3527 : "New" Content Link and Image Not Present When Category Empty
• Fixed: Static Content Start/Finish publishing time is based on server time, not local time
• Fixed: Publisher submission message for frontend content editing/submission
• Fixed artf3144 : NULL values from SQL tables not loaded
• Fixed: $access variable conflict com_content
• Fixed: mod_related_items urls not xhtml compliant
• Fixed: heading in pagination not working
• Fixed: Add Prefix check to installer
• Fixed artf3082 : Template preview *still* not available
• Fixed artf2925 : mosGetParam has side affects
• Fixed: Content -> New -> Cancel
• Upgraded TinyMCE to 2.0.3 & TinyMCE GZip Compressor to 1.0.7
• Fixed artf3391 : Aphostrophes in Category: Edit
• Fixed artf3291 : Alert() problem
• Fixed artf3188 : Unnecessary table cell in contact.html.php
• Fixed artf3121 : css errors in tiny_mce and rhuk_solarflare_ii template
• Fixed artf3181 : Task routing class
• Fixed artf3400 : showCalendar does not get value of date
• Fixed artf3348 : Bold tag overrides css in mod_poll.php
• Fixed artf3120 : &and & &link not defined in admin.categories.php
• Fixed artf3446 : Problems with mosimage with caption
• Fixed artf3100 : Incorrect Response Headers for Missing Pages
• Fixed artf3220 : Search bug: No way to update referenced search component
• Fixed artf3438 : RSS Feed Created it not base on the same encoding of the content
• Fixed artf3108 : Joomla 1.0.7 core SEF bug gives 404 on homepage
• Fixed artf3169 : RSS feeds does not work with SEF disabled
• Fixed artf3397 : link to menu and loss of images list
• Fixed artf3109 : 1.0.7 "The XML page cannot be displayed ERROR" ob_gzhandler issue
• Fixed artf3447 : TinyMCE and relative urls
• Fixed artf3183 : Sub-menu items of separators not showing in module menu selection list
• Fixed artf3103 : $mosConfig_cachepath not used everywhere
• Fixed artf3114 : mod_related_items outputs nothing
• Fixed artf3234 : mod_related_items unitialized mosConfig_offset variable
• Fixed artf3402 : Missing param in module
• Fixed artf3067 : Reopen: Unhandled fragment identifier with core SEF enabled
• Fixed: new .htaccess gives proper 404s [Steve Graham]
• Disable session.use_trans_sid to .htaccess
• Fixed artf3421 : Session cleanup relies on administrator login
• Fixed artf3307 : Error in code - non critical, but logout setcookie not working
• Fixed artf3126 : Short open PHP tag in pathway.php
• Fixed artf3126 : artf3413 : small problem with variable in xml_domit_lite_parser.php
• Fixed: Excessive Joomla Sessions, and AOL Login Problem [Steve Graham]
• Fixed mosWarning() $title error
• New Session Type Global Config param
• Fixed artf3393 : Latestnews doesn't show static content
• Fixed artf3328, 1.0.7 EN Installation Typo - Step 1
• Fixed artf3401 : Spelling errors in two modules
• Additional Contact Component hardening
• Contact Items display Authorization block text if category 'access level' denies access
• Blog pages display Authorization block text if section/category 'access level' denies access
• Blog pages display Authorization block text if section/category being unpublished