Upgrade to Joomla 1.5.13
I spend more time upgrading Joomla sites to the latest version than creating any new content. Received this email from the Joomla security team before six o’clock this morning. Didn’t we just upgrade to Joomla 1.5.12 a week or so ago?
Posted: 22 Jul 2009 04:36 PM PDT
- Project: Joomla!
- SubProject: Framework
- Severity: Moderate
- Versions: 1.5.12 and all previous 1.5 releases
- Exploit type: XSS
- Reported Date: 2009-July-21
- Fixed Date: 2009-July-22
Description
Some files were missing the check for JEXEC. These scripts will then expose internal path information of the host.
Affected Installs
All 1.5.x installs prior to and including 1.5.12 are affected.
Solution
Upgrade to latest Joomla! version (1.5.13 or newer).
[20090722] – Core – File Upload
Posted: 22 Jul 2009 04:17 PM PDT
- Project: Joomla!
- SubProject: TinyMCE editor
- Severity: Critical
- Versions: 1.5.12
- Exploit type: Image File upload
- Reported Date: 2009-July-22
- Fixed Date: 2009-July-22
Description
Tiny browser included with TinyMCE 3.0 editor allowed files to be uploaded and removed without logging in.
Affected Installs
Version 1.5.12 only
Solution
Upgrade to latest Joomla! version (1.5.13 or newer).
Anyhoo, the upgrade process gets easier and less nerve-wracking each time you do it. I’ve done four sites already this morning and each took less than five minutes.
Back up database and site files, download the upgrade files from official Joomla page, check the hash, put your website offline for a while (in Global Configuration), and FTP the new set of files over to your own server (this last step just two minutes). Log back in as a Joomla administrator, see the 1.5.13 version on the upper right, then switch your site back online. You’re done. Start checking that everything still works.
