-
AuthorPosts
-
wooohanetworks Friend
wooohanetworks
- Join date:
- September 2008
- Posts:
- 1239
- Downloads:
- 0
- Uploads:
- 2
- Thanks:
- 148
- Thanked:
- 138 times in 41 posts
January 11, 2009 at 2:05 pm #136987Reading the changelog for the new version encourages me to post another notification here in the forums. The new 1.5.9 Update patches some high priority security issues, so everyone with 1.5.x running should be advised to update their systems ASAP!
I want to add that I SUPPOSE THAT the mentioned low security risk will be, as described, only be a low security risk as long the systems run with the 2 folder root structure having a http(docs) and https(docs) folder and in each folder the designated files for secure or non-secure content is loaded.
IT SEEMS TO BE THAT:
For those instances where both, the non-SSL content and the secure SSL content is loaded into the 1 https(docs) folder of a system this may oppose a high security risk. As a lot of sites, especially shops, will have all content only in one folder, https(docs) folder for using a secure SSL connection, being a usual procedure to avoid double content in 2 folders, this may for those cases not be a low security risk but a high security risk.
IT WOULD BE THE BEST TO GET PROFESSIONAL ADVICE IN ADDITION!
It is strongly recommended to update any Joomla site referring to the latest changelog:
Security
One low-level and one high-level security issue were fixed in this release:High Priority: Directory Traversal. A crafted request can allow an attacker to view directory trees on the server. Note: contents of files cannot be edited or deleted, just viewed. More information »
Low Priority: SSL Session Token Disclosure. When running a site as SSL ONLY, if a non-SSL
request is made, an attacker can obtain the session token. There is NO risk for Web sites that use both HTTP and HTTPS. More information »http://www.joomla.org/announcements/release-news/5226-joomla-159-security-release-now-available.html
sunrise Friendsunrise
- Join date:
- February 2007
- Posts:
- 920
- Downloads:
- 0
- Uploads:
- 5
- Thanks:
- 103
- Thanked:
- 166 times in 114 posts
January 11, 2009 at 2:15 pm #285904Thanks a lot for posting this here and letting us know. And thanks to the Joomla folks for continually coming with updates and patches to help us keep our sites safe and up and running.
2 users say Thank You to sunrise for this useful post
wooohanetworks Friendwooohanetworks
- Join date:
- September 2008
- Posts:
- 1239
- Downloads:
- 0
- Uploads:
- 2
- Thanks:
- 148
- Thanked:
- 138 times in 41 posts
January 11, 2009 at 2:26 pm #285905I myself planned to set my site under SSL in a whole but did not do it for several reasons. That would mean the complete site would always run under SSL and it may have been fallen under this threat. Now, as I mention I SUPPOSE, I do not know how it is with any subdomain where a shop is installed on. It MAY BE the case that when you set the whole shop subdomain under SSL and the rest, the normal site residing on the main domain is not under SSL that still this security problem may affect the subdomain that is set under SSL in a whole. That is why I recommend when having a site set up this way, to get feedback from a professional network advisor that can say with certainty if this may apply or may also fall under the low security risk. As I know that some have the whole domain under SSL, those may apply the update immediately. To get professional advice in these cases is always the best solution, as better check it 20 times.
Michael Casha FriendMichael Casha
- Join date:
- September 2014
- Posts:
- 2561
- Downloads:
- 1
- Uploads:
- 32
- Thanks:
- 41
- Thanked:
- 119 times in 1 posts
January 11, 2009 at 11:19 pm #285990Please remain On-Topic when discussing the Joomla 1.5.9 release.
Hung Dinh FriendHung Dinh
- Join date:
- September 2014
- Posts:
- 4408
- Downloads:
- 11
- Uploads:
- 189
- Thanks:
- 309
- Thanked:
- 3310 times in 3 posts
January 13, 2009 at 4:40 am #286176Thank wooohanetworks and everyone for the notice.
We heard it and have this to tell you1 user says Thank You to Hung Dinh for this useful post
wooohanetworks Friendwooohanetworks
- Join date:
- September 2008
- Posts:
- 1239
- Downloads:
- 0
- Uploads:
- 2
- Thanks:
- 148
- Thanked:
- 138 times in 41 posts
January 14, 2009 at 2:26 am #286308Thank you, you are very welcome, you know my cautious standpoint.;)
-
AuthorPosts
This topic contains 6 replies, has 4 voices, and was last updated by wooohanetworks 15 years, 11 months ago.
We moved to new unified forum. Please post all new support queries in our New Forum