Security release for Joomla!

      1 Comment on Security release for Joomla!

Yesterday (13th December) Joomla! released a security update. This update fixes a vulnerability that is present in most Joomla! sites, affecting Joomla! 1.6.0 through 3.6.4. Besides this high priority bug, two low priority bugs are fixed as well. Also some security hardening has been done, and some bugs have been fixed with this release. It is recommended to update your website as soon as possible.

So, what has been done in this update? The most important part is of course the high priority vulnerability. It’s been described as follows:

Incorrect use of unfiltered data stored to the session on a form validation failure allows for existing user accounts to be modified; to include resetting their username, password, and user group assignments.

Since this affects nearly all Joomla! installations it’s recommended to upgrade asap. Beside this, you got some bonus features as well. The full update contains the following bugfixes and security updates:

Security fixes

High Priority – Elevated Privileges (affecting Joomla! 1.6.0 through 3.6.4)
Low Priority – Shell Upload (affecting Joomla! 3.0.0 through 3.6.4)
Low Priority – Information Disclosure (affecting Joomla! 3.0.0 through 3.6.4)
Other – Security Hardening

Besides the problem regarding elevated privileges there are two more security issues that are fixed with this update. Due to inadequate checks it was possible to upload PHP files that have a alternative file-extension. This is no longer possible. Also there was a bug allowing users to see content they were not supposed to see based on the ACL. The last security issues that are targeted are some improvements in the security of the user management.

Bug fixes

[#12817] Fix Joomla Updater for Windows Users
[#12984] Fix installation language for sr-YU
[#12589] and [#13127] Fix default values for user creation on installation

One thought on “Security release for Joomla!

  1. Pingback: 8 Tips to improve Joomla! performance - Website performance - Sysadmins of the North

Comments are closed.