Yesterday (13th December) Joomla! released a security update. This update fixes a vulnerability that is present in most Joomla! sites, affecting Joomla! 1.6.0 through 3.6.4. Besides this high priority bug, two low priority bugs are fixed as well. Also some security hardening has been done, and some bugs have been fixed with this release. It is recommended to update your website as soon as possible.
So, what has been done in this update? The most important part is of course the high priority vulnerability. It’s been described as follows:
Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.
Since this affects nearly all Joomla! installations it’s recommended to upgrade asap. Beside this, you got some bonus features as well. The full update contains the following bugfixes and security updates:
High Priority – Elevated Privileges (affecting Joomla! 1.6.0 through 3.6.4)
Low Priority – Shell Upload (affecting Joomla! 3.0.0 through 3.6.4)
Low Priority – Information Disclosure (affecting Joomla! 3.0.0 through 3.6.4)
Other – Security Hardening
Besides the problem regarding elevated privileges there are two more security issues that are fixed with this update. Due to inadequate checks it was possible to upload PHP files that have a alternative file-extension. This is no longer possible. Also there was a bug allowing users to see content they were not supposed to see based on the ACL. The last security issues that are targeted are some improvements in the security of the user management.