[joomla] Fw: Joomla! Security News

Sat, 10 Jan 2009 06:19:45 -0800 


----- Forwarded Message ----
From: Joomla! Developer - Vulnerability News <[email protected]>
To: [email protected]
Sent: Saturday, January 10, 2009 8:42:43 AM
Subject: Joomla! Security News

Joomla! Developer - Vulnerability News  
Joomla! Security News  
 
[20090102] - Core - plg_xstandard Directory Traversal 
Posted: 09 Jan 2009 08:22 AM PST
        * Project: Joomla!
        * SubProject: plg_xstandard
        * Severity: High
        * Versions: 1.5.8 and all previous 1.5 releases
        * Exploit type: Directory Traversal
        * Reported Date: 2009-January-7
        * Fixed Date: 2009-January-9
Description
A crafted request can cause disclosure of the directory structure on the server 
(including any directory that php has access to).
Affected Installs
All 1.5.x installs prior to and including 1.5.8 are affected.
Solution
Upgrade to latest Joomla! version (1.5.9 or newer).
Contact
The JSST at the Joomla! Security Center.  
[20090101] - Core - JSession SSL Session Disclosure 
Posted: 09 Jan 2009 08:12 AM PST
        * Project: Joomla!
        * SubProject: framework 
        * Severity: Low
        * Versions: 1.5.8 and all previous 1.5 releases
        * Exploit type: Session Hijacking/ 
        * Reported Date: 2008-November-20
        * Fixed Date: 2009-January-9
Description
When running a site under SSL ONLY (the entire site is forced to be under ssl), 
Joomla! does not set the SSL flag on the cookie.  This can allow someone 
monitoring the network to find the cookie related to the session.  Please note 
that all data is still transferred securely. 
Affected Installs 
1.5.8 and lower installs which are run with SSL only (no non-ssl access).   
Solution
Upgrade to latest Joomla! version (1.5.8 or newer), and set force_ssl in global 
configuration. Alternatively, the php setting session.secure_cookie can be set 
in .htaccess or php.ini.  Joomla! (all versions) will respect this setting. 
Reported By Hanno Boeck
Contact
The JSST at the Joomla! Security Center.  
You are subscribed to email updates from Joomla! Developer - Vulnerability News 
To stop receiving these emails, you may unsubscribe now. Email delivery powered 
by Google 
Inbox too full?  Subscribe to the feed version of Joomla! Developer - 
Vulnerability News in a feed reader. 
If you prefer to unsubscribe via postal mail, write to: Joomla! Developer - 
Vulnerability News, c/o Google, 20 W Kinzie, Chicago IL USA 60610 
_______________________________________________
New York PHP SIG: Joomla! Mailing List
http://lists.nyphp.org/mailman/listinfo/joomla

NYPHPCon 2006 Presentations Online
http://www.nyphpcon.com

Show Your Participation in New York PHP
http://www.nyphp.org/show_participation.php

Reply via email to