test
Viewing 6 posts - 1 through 6 (of 6 total)
  • Author
    Posts
  • wooohanetworks Friend
    #136987

    Reading the changelog for the new version encourages me to post another notification here in the forums. The new 1.5.9 Update patches some high priority security issues, so everyone with 1.5.x running should be advised to update their systems ASAP!

    I want to add that I SUPPOSE THAT the mentioned low security risk will be, as described, only be a low security risk as long the systems run with the 2 folder root structure having a http(docs) and https(docs) folder and in each folder the designated files for secure or non-secure content is loaded.

    IT SEEMS TO BE THAT:

    For those instances where both, the non-SSL content and the secure SSL content is loaded into the 1 https(docs) folder of a system this may oppose a high security risk. As a lot of sites, especially shops, will have all content only in one folder, https(docs) folder for using a secure SSL connection, being a usual procedure to avoid double content in 2 folders, this may for those cases not be a low security risk but a high security risk.

    IT WOULD BE THE BEST TO GET PROFESSIONAL ADVICE IN ADDITION!

    It is strongly recommended to update any Joomla site referring to the latest changelog:

    Security
    One low-level and one high-level security issue were fixed in this release:

    High Priority: Directory Traversal. A crafted request can allow an attacker to view directory trees on the server. Note: contents of files cannot be edited or deleted, just viewed. More information »

    Low Priority: SSL Session Token Disclosure. When running a site as SSL ONLY, if a non-SSL
    request is made, an attacker can obtain the session token. There is NO risk for Web sites that use both HTTP and HTTPS. More information »

    http://www.joomla.org/announcements/release-news/5226-joomla-159-security-release-now-available.html

    sunrise Friend
    #285904

    Thanks a lot for posting this here and letting us know. And thanks to the Joomla folks for continually coming with updates and patches to help us keep our sites safe and up and running.

    wooohanetworks Friend
    #285905

    I myself planned to set my site under SSL in a whole but did not do it for several reasons. That would mean the complete site would always run under SSL and it may have been fallen under this threat. Now, as I mention I SUPPOSE, I do not know how it is with any subdomain where a shop is installed on. It MAY BE the case that when you set the whole shop subdomain under SSL and the rest, the normal site residing on the main domain is not under SSL that still this security problem may affect the subdomain that is set under SSL in a whole. That is why I recommend when having a site set up this way, to get feedback from a professional network advisor that can say with certainty if this may apply or may also fall under the low security risk. As I know that some have the whole domain under SSL, those may apply the update immediately. To get professional advice in these cases is always the best solution, as better check it 20 times.

    Michael Casha Friend
    #285990

    Please remain On-Topic when discussing the Joomla 1.5.9 release.

    Hung Dinh Friend
    #286176

    Thank wooohanetworks and everyone for the notice.
    We heard it and have this to tell you

    wooohanetworks Friend
    #286308

    Thank you, you are very welcome, you know my cautious standpoint.;)

Viewing 6 posts - 1 through 6 (of 6 total)

This topic contains 6 replies, has 4 voices, and was last updated by  wooohanetworks 15 years, 11 months ago.

We moved to new unified forum. Please post all new support queries in our New Forum