test

Joomla! 1.5.10

Forums    Public Forums    General Questions    Joomla! 1.5.10
Viewing 5 posts - 1 through 5 (of 5 total)
  • Author
    Posts
  • alepou Friend
    March 28, 2009 at 1:11 pm #139678

    Hello,

    I just received the following info email, regarding the Joomla! upgrade to 1.5.10 :

    Joomla! Security News

    [20090302] – Core – com_content XSS
    Posted: 25 Mar 2009 10:08 AM PDT

    • Project: Joomla!
    • SubProject: com_content
    • Severity: Low
    • Versions: 1.5.9 and all previous 1.5 releases
    • Exploit type: XSS
    • Reported Date: 2009-March-12
    • Fixed Date: 2009-March-27

    Description
    A XSS vulnerability exists in the category view of com_content.
    Affected Installs
    All 1.5.x installs prior to and including 1.5.9 are affected.
    Solution
    Upgrade to latest Joomla! version (1.5.10 or newer).
    Contact
    The JSST at the Joomla! Security Center.

    [20090301] – Core – Multiple XSS/CSRF
    Posted: 25 Mar 2009 10:02 AM PDT
    Project: Joomla!
    SubProject: Multiple
    Severity: Moderate
    Versions: 1.5.9 and all previous 1.5 releases
    Exploit type: XSS and CSRV
    Reported Date: 2009-February-15
    Fixed Date: 2009-March-27
    Description
    A series of XSS and CSRF faults exist in the administrator application. Affected administrator components include com_admin, com_media, com_search. Both com_admin and com_search contain XSS vulnerabilities, and com_media contains 2 CSRF vulnerabilities.
    Affected Installs
    All 1.5.x installs prior to and including 1.5.9 are affected. The com_search XSS vulnerability requires that “Gather Search Statistics” be enabled to be exploitable (Disabled by default).

    You may also read more, here: http://www.joomla.org/announcements/release-news/5231-joomla-1510-security-release-now-available.html

    How the above upgrade will affect our templates?

    1 user says Thank You to alepou for this useful post

    1. wooohanetworks
    Arvind Chauhan Moderator
    March 28, 2009 at 1:44 pm #298690

    <blockquote>This is a security release and users are strongly encouraged to upgrade immediately.

    This release contains 66 bug fixes, one low-level security fix, and one moderate-level security fix. It has been 11 weeks since Joomla 1.5.9 was released on January 10, 2009. The Development Working Group’s goal is to continue to provide regular, frequent updates to the Joomla community.</blockquote>

    It being a security update, there’s no reason to hold the upgrade, irrespective of its effect on the templates. Securing joomla should be a priority, i think.

    regards

    1 user says Thank You to Arvind Chauhan for this useful post

    1. alepou
    wooohanetworks Friend
    March 28, 2009 at 5:04 pm #298699

    <em>@alepou 121069 wrote:</em><blockquote>How the above upgrade will affect our templates?</blockquote>

    Hey Alepou, those updates only effect your templates when:

    1. You are doing the update and have made changes to the Joomla Core files

    Joomla Core files are all those files like templates, modules, components, images folder etc., for templates those that are NOT located inside your /templates/ja_template folder for example. In this case, not the templates may cause errors but you may miss some functions you earlier added to the core of your Joomla system, and when those were coded by you to stand ina direct relationship with your template, also your template may be affected.

    Normally, someone who made core changes to the system and does an update can experience that some particular customizations may be gone after the update, but as not all Joomla core files are replaced, this also must not happen but can happen, always in regards to what was changed and what will be updated. When you made changes to a file that now is updated with a new one, the changes made will be gone.

    • That means all what is kept in those folders of non-default Joomla templates, will not be changed in any way. Sometimes the Joomla updates also include updates to the templates that come with Joomla like rhuk_milkyway, beez and ja_purity, but the files in your custom template folder like Joomlart.com templates will stay untouched.
    • Same applies to custom modules and components later added, those also will not be altered or changed, overwritten or deleted by the update process.
    • Files inside your images folder or any other folder you created will also stay untouched and not be altered or changed or deleted.
    • When you have made changes to any of the core files it may affect your site in ways that custom core changes you made may be overwritten, but that must not happen, and always only happens to those files that are actually updated by the new release as the update is not a complete new Joomla, only contains those files that need to be updated.

    Example: I had to made some changes to the contact form that comes with Joomla on one site, so I have saved me the particular file before doing the update. I have done the update and checked the file again with reopening it and it still the one I made changes to. That means the update release 1.5.10 does not have any update to the contact form file I altered and any core changes to this basic component were not deleted. On earlier updates, this file may have been affected, but this time not.

    • In common practice, one should only alter core files when knowing what one does, makes some notes on what was changed where, so for the case an altered file was replaced with a new one, due to some bug or security issue within the file, you still can restore the changes you made later.

    2. You do not upgrade and are subject to the security issues that may affect your site when particular third parties could intrude your system due you have not updated your system. You are simply running your site with an outdated Joomla version.

    Like I said, I just made the update on one of my sites and no problems occured. It took less than a minute. You simply have to upload the folders in the release zip to your server and accept that all files that need to be updated can be overwritten.

    • When you feel insecure with doing the update on your own you should first check out some docs and forum threads on Joomla.org or even ask someone with more experience to do this for you. With some more complex sites, I also haven’t done this on my own, as a pro also gives you the guarantee that in case there are any problems that those will be solved, as this is what you pay a pro for. But for any case, I would recommend to make a back-up of the site in case before doing the update, this can save you a lot of troubles.

    Much success!

    1 user says Thank You to wooohanetworks for this useful post

    1. alepou
    alepou Friend
    March 28, 2009 at 5:11 pm #298700

    Thank you, both!

    Actually, I’ve added some components and modules; a couple of them, needed to “touch” some files… but as I’m not working on my Joomla! site the last month, I have to re-read all instructions and see which ones… In addition to this, I guess… I have to take a look the next days, to the additional stuff installed, in order to see if there are changes from their developers.

    In any case, thank you once again! 🙂

    wooohanetworks Friend
    March 28, 2009 at 5:18 pm #298702

    <em>@alepou 121086 wrote:</em><blockquote>Thank you, both!

    Actually, I’ve added some components and modules; a couple of them, needed to “touch” some files… but as I’m not working on my Joomla! site the last month, I have to re-read all instructions and see which ones… In addition to this, I guess… I have to take a look the next days, to the additional stuff installed, in order to see if there are changes from their developers.

    In any case, thank you once again! :)</blockquote>

    Normally those files that need to be touched should not be changed in ways that suddenly your component does not work no more. In case this would apply I would say the better extensions developers would mention this in their forums etc. shortly after the new release of Joomla.

    But to avoid that anything does not work like it should, a back up of the site is mandatory before doing the update. As when you experience problems with components after the update, you can first bring the old site back and see how to solve those errors to later make a new update.

    The best option would be to make a mirror site of yours with the extensions you worry about and make an update with this as a test first, when everything works out after the update you can either also make the update to the live site without having to go the worrying way or maybe when you have the infrastructure to do so, you point the domain on the new updated mirror site and make the old one the back up.

    When you want to be assured to know what will be updated with the new release, you should always study the latest changelog first. Also when the files to be changed are not listed, you may figure out what may be changed. To know what files will be changed to a 100% you can always go over the new release data contained in the folders for the update and will see all files that actually will be changed before you make the update. In case you made changes to files on your server that are now about to be updated, part of the new release you may be assued that you will have to make any custom changes again after the update.

    Changelog and news plus download:

    http://www.joomla.org/announcements/release-news/5231-joomla-1510-security-release-now-available.html

    1 user says Thank You to wooohanetworks for this useful post

    1. alepou
  • Author
    Posts
Viewing 5 posts - 1 through 5 (of 5 total)

This topic contains 5 replies, has 3 voices, and was last updated by  wooohanetworks 15 years, 8 months ago.

We moved to new unified forum. Please post all new support queries in our New Forum

Important Notice :

New Unified Portal is live

Must Read

Jump to forum

Categories