[20121001] – Core – XSS Vulnerability

Oct10
by Ike on October 10, 2012 at 7:21 am
Posted In: CMS, Core Security, Joomla, security
  • Project: Joomla!
  • SubProject: All
  • Severity: Low
  • Versions: 3.0.0
  • Exploit type: XSS Vulnerability
  • Reported Date: 2012-October-01
  • Fixed Date: 2012-October-09

Description

Typographical error leads to XSS vulnerability in language search component.

Affected Installs

Joomla! version 3.0.0.

Solution

Upgrade to version 3.0.1

Reported by Jeff Channell

Contact

The JSST at the Joomla! Security Center.

└ Tags:
 Comment 

Parallels Plesk 10.4.4 MU#45

Oct10
by Ike on October 10, 2012 at 3:47 am
Posted In: Plesk, Releases

The following bug has been fixed:
[-] PCI compliance scanners are failing because Courier IMAP is not PCI compliant

└ Tags: ,
 Comment 

Joomla 3.0.1 Released

Oct10
by Ike on October 10, 2012 at 3:06 am
Posted In: CMS, Community, Joomla, Project Release News, Releases

joomla-3.0

The Joomla Project is pleased to announce the immediate availability of Joomla 3.0.1. This is a security release. This release also fixes several high-priority problems with version 3.0.0. 

IMPORTANT NOTE FOR 3.0.0 SITES: If you plan to update a site from 3.0.0 to 3.0.1, you need to install the Joomla 3.0.0 Hot Patch before doing the update to Joomla 3.0.1. See the Hot Patch Instructions for more information. This is NOT required for updating from version 2.5.x.  If you require the FTP layer you will need to manually FTP the update. Also, please note that version 3.0 users need to make sure the Update server is set to “Short Term Support” in the Joomla! Update component. Otherwise, no 3.0.x updates will show.

The Production Leadership Team’s goal is to continue to provide regular, frequent updates to the Joomla community. Learn more about Joomla! development at the Developer Site.

Download

New Installations: Click here to download Joomla 3.0.1 (Full package) »

Hot Patch (required for update from 3.0.0): Click here to download Joomla 3.0.0 Hot Patch »

Update Package: Click here to download Joomla 3.0.0 to 3.0.1 (Update package) »

Update Package: Click here to download Joomla 3.0.1 (for updates from Joomla 2.5)  (Update package)  »

Note: Please read the special update instructions before updating. Updating from 3.0.0 requires that you apply the hot patch first.

Instructions

Want to test drive Joomla? Try the online demo or the Joomla JumpBoxDocumentation is available for beginners.

Please note that you should always backup your site before upgrading.

Release Notes

Check the Joomla 3.0.1 Post-Release FAQs to see if there are important items and helpful hints discovered after the release.

Statistics for the 3.0.1 release period

  • Joomla 3.0.1 contains:
    • 1 security issue fixed
    • 1 new feature
    • 47 tracker issues fixed

Security Issues Fixed

New Feature

  • 29445 Allow different update packages for different version dev levels

    Until now, for both core auto updates and extension updates, update packages have been controlled by the 2-digit version number (e.g., 2.5, 3.0). It is not possible,for example, to have users of version 3.0.0 install a different update package than users of 3.0.1. This means the update packages are larger than they need to be. This feature allows for checking all three elements of a version number.

Tracker Issues Fixed

ID Summary/Link Category
25663 “Can’t build admin menu item” error while (re)installing component Administration
29419 *Missing client field (and other fields) when creating a new banner Administration
29426 *Missing list limit in Extensions Manager => Manage and Install Languages Administration
29367 *Filtering by category does not work for Featured articles Administration
29307 getComponentsWithConfig does not work for custom components Administration
29387 unpublish button don’t work Administration
29006 *J3.0 alpha 2.0 : Fieldset not working for plugin extension Administration
29268 Language dropdown too small in backend login using IE8 Authentication and Login
29399 Clean up code style Code Quality
28849 Publishing date instead of creation date in com_content/category/view.feed.php Components
28297 com_banners: BannersModelClients SQL error (group by banner id) Components
29358 A sinjgle contact does not send email and return 500 system error Components
29369 Updated sample data for SQL Azure database Database
29403 *Missing required=”true” in front-end login form Front End
29343 Remove installation folder’ button not always working Installation
29421 Auto update doesn’t work in version 3.0.0 Installation
29323 Problems in update from 2.5 to 3.0 Installation
29429 Can’t install Joomla update as an extension Installation
29385 Joomla 3.0 stable package has wrong file permissions Installation
29383 Language String TPL_HATHOR_COLOUR_CHOICE_BLUE Missing Languages
29380 Override Language String Created Cannot be Deleted Languages
29374 Languages Cannot be Installed Using Install Languages Languages
29408 images upload to the wrong folder in image manager Media Manager
29344 Javascript Error with JHTML tabs Platform
29431 Prostar Template not honouring module Title Hide. Templates
29211 Isis: Jumping table rows on mouseover Templates
29336 *Protostar page navigation does not work Templates
29414 Isis template showing User Name is not a good idea Templates
29410 Beez3 template_Details.xml needs a rework and beez3 itselfs needs additional files Templates
29407 *Isis wong implementation of the color parameter Templates
29393 beez3 CLOSE INFO Templates
29390 Components Title Truncated to 40 Bytes in ISIS Templates
29325 *article manager options – User Interface
29443 *Normalising isis UI part1 administrator folder User Interface
29414 Isis template showing User Name is not a good idea.  Templates
29387 unpublish button don’t work.  Administration
29446 One character too much in JFeedPerson  CMS Libraries
29262 Wrong file name in garbagecoro cli app  Administration
29394 beez3 — single contact.  Templates
29449 *Normalising isis UI part2 components, modules, plugins  Templates
29447 Broken installation with PostgreSQL.  Installation
29464 Untranslated string COM_INSTALLER_INSTALL_FTP  Languages
29452 beez3: change meta tag name from apple-touch-fullscreen to apple-mobile-web-app-capable. Templates 
29451 beez3: element closed before opened.  Templates
29454 multi level menus not support RTL languages well.  RTL
29074   Back-end: Unable to save FTP Settings – Catchable fatal error  Platform
29468 Additional places where null should be changed to array(). Platform

Joomla! Bug Squad

Thanks to the Joomla Bug Squad for their dedicated efforts investigating reports, fixing problems, and applying patches to Joomla. If you find a bug in Joomla, please report it on the Joomla! CMS Issue Tracker.

Active members of the Joomla Bug Squad during the past three months include: Aaron Wood, Andrea Tarr, Bill Richardson, Brian Teeman, Christophe Demko, Dean Clarke, Dennis Hermacki, Elin Waring, Emerson Rocha Luiz, Harald Leithner, Itamar Elharar, Jacob Waisner, James Brice, Janich Rasmussen, Jean-Marie Simonet, Kevin Griffiths, Loyd Headrick, Marijke Stuivenberg, Marius van Rijnsoever, Mark Dexter, Matt Thomas, Michael Babker, Neil McNulty, Nicholas Dionysopoulos, Nick Savov, Nikolai Plath, Ofer Cohen, Peter Wiseman, rachmat wakjaer, Radek Suski, rob clayburn, Roland Dalmulder, Rouven Weßling, Rune Sjøen, Samuel Moffatt, Shaun Maunder, Soheil Novinfard, Troy Hall, Viet Vu.

Bug Squad Leadership: Mark Dexter, Coordinator.

Joomla! Security Strike Team

A big thanks to the Joomla! Security Strike Team for their ongoing work to keep Joomla secure. Members include: Airton Torres, Alan Langford, Bill Richardson, Elin Waring, Gary Brooks, Jason Kendall, Jean-Marie Simonet, Jeremy Wilken, Marijke Stuivenberg, Mark Dexter, Michael Babker, Rouven Weßling, Samuel Moffatt.

How can you help Joomla development?

The great news is you don’t have to be a developer to help build Joomla. The Joomla Bug Squad is one of the most active teams in the Joomla development process and is always looking for people (not just developers) that can help with sorting bug reports, coding patches and testing solutions. It’s a great way for increasing your working knowledge of Joomla, and also a great way to meet new people from all around the world.

If you are interested, please read about us on the Joomla Wiki and, if you wish to join, email the Bug Squad coordinator.

You can also help Joomla development by thanking those involved in the many areas of the process.


└ Tags:
 Comment 

Joomla 3.0.3 Released

Oct09
by Ike on October 9, 2012 at 9:09 pm
Posted In: CMS, Community, Joomla, Project Release News, Releases

joomla-3.0

The Joomla Project is pleased to announce the immediate availability of Joomla 3.0.3. This is a security release. The Production Leadership Team’s goal is to continue to provide regular, frequent updates to the Joomla community. Learn more about Joomla! development at the Developer Site.

Download

New Installations: Click here to download Joomla 3.0.3 (Full package) »

Update Package: Click here to download Joomla 3.0.2 to 3.0.3 (Update package) »

Update Package: Click here to download Joomla 3.0.3 (for updates from Joomla 2.5)  (Update package)  »

Note: If you are running version 3.0.0 please read the special update instructions before updating.

Instructions

Want to test drive Joomla? Try the online demo or the Joomla JumpBoxDocumentation is available for beginners.

Please note that you should always backup your site before upgrading.

Release Notes

Check the Joomla 3.0.3 Post-Release FAQs to see if there are important items and helpful hints discovered after the release.

Statistics for the 3.0.3 release period

  • Joomla 3.0.3 contains:
    • 3 security issue fixed
    • 2 new features
    • 136 tracker issues fixed

Security Issues Fixed

New Features

Tracker Issues Fixed

ID Summary/Link Category
29763 Category list state change bug Administration
29635 * No message notification when new article is created Administration
29473 Fixed issue with hits_class not being defined when hits is 24 Administration
29921 *Com_content category list filter field wrong Options Administration
29676 *formatting at the PM System are lost Administration
29768 Internet Explorer -> Menu Item Select -> Popup unreadable Administration
29620 *Creating new position when editing module broken in master? Administration
29289 *No admin private message when an author submit a new content in frontend Administration
29762 *cpanel layout in backend messed up after adding feed to cpanel Administration
29764 Missing icon-pending in back-end Administration
29626 Commit for 29519 Breaks Wrapper Menu Item Type Administration
29821 Cannot select contact or newsfeed in modal after filtering Administration
29679 *Passwords fields not required when creating a new user in back-end Administration
29619 In the current version 3.0.2 (master branch, 03. Nov. 2012) some settings aren’t working. Administration
29660 Error 500 due to “missing alias column in assets table” Administration
28714 Authentication – Gmail: Apply Username suffix does not allow user to login with suffix already applied Authentication and Login
29995 No language tooltip at the Joomla Login Authentication and Login
29669 Consistent form validation notifications CMS Libraries
29700 Component installer and menus may return invisible bug CMS Libraries
28895 Missing closing Code Quality
29714 Code style fixes based on Jenkins, replace uses of JRequest Code Quality
29979 Codestyle pass 1 Code Quality
30035 code for page break plugin Code Quality
29903 Fix a reference in jDatabaseDriver Code Quality
29987 Code Style Part 2 Code Quality
29960 Correct language specification in components’ XML files Code Quality
29651 Removing try/catch clauses in ‘dispatch’ methods Code Quality
29895 Strict errors in categories models Code Quality
28087 PHP errors when all modules are removed Components
29836 *Weblinks, Newsfeeds, Contacts Search Filter (frontend) Components
30021 *Wrong parameters for Articles Category List layout Components
29693 *Position of Article Info. Setting Use Global not saved. Menu Manager: Edit Menu Item and Article Manager: Edit Article Components
29824 Smart search saves * in language field Components
29682 Adding an icon to the “reply” button in com_messages Components
28577 User Notes Search not working Components
29738 Weblinks Hits Display when set to hide Components
29952 template manager pagination broken Components
29913 *Com_content feed read more links broken Components
29989 *Media manager can’t upload is memory_limit is set to -1 Components
27903 invalid call to parent::getStoreId in getStoreId of NewsfeedsModelCategories (unused) Components
29905 Issue 29895 broke weblinks categories. Components
30007 Fix broken module installation in Postgresql because of NULL constraint Database
28533 Sqlsrv MSSQL Azure joomla.sql default constraints should all have defined names Database
27709 Saving in backend very slow when many user groups Database
29845 Joomla 3.0.2 Back-end Performance Issue with Item Associations (large #__associations table) Database
29345 MySQLi does not display SQL errors messages anymore. Database
29997 Email validation fails with longer top level domains Forms
20173 [PATCH] selective usage of editor’s buttons does not working Forms
29933 *’Article’ string above the TOS article and print icon not working with Protostar Front End
29827 Sematic & Accessibility fixes frontend Front End
29887 *Disable System redirect breaks 404 Front End
29838 the registration-mail does not contain username and password if activation is set to “none”. Even if “send password” is set to yes. Front End
28841 Username modification in frontend (Profile Edit) is not saved Front End
29904 *With plugin Language Filter enabled, user articles parameter in frontend shows all articles Front End
29862 *Filter_field Option missing in category list layout for Contact, Newsfeeds, Weblinks Front End
29715 *Submit an Article doesn’t work Front End
29941 *User Profile frontend tooltips same as backend ones Front End
29860 *Wrong display of Search and Clear buttons in Insert Article modal + RTL Front End
29927 *User Profile Plugin – Required TOS field not enforced Front End
29999 Fix fatal error in JInstallerFile::uninstall() Installation
29646 Some errors on Updater Installation
29712 Alternate fix for 29646 update changes Installation
29573 Remove unnecessary JS snippet from rules field Javascript
29705 blank login page J3.x beez3 Javascript
29691 Smart Search autocomplete.js issue Javascript
29998 Problem with grid sort Javascript
29668 language installer coordinator team URL must changed j3 TT Languages
29962 *303 when not using URL Language code in multilanguage-again Languages
29616 Missing JGLOBAL_CENTER in frontend language file Languages
29434 J3.0 Stable – Missing language value JLIB_INSTALLER_ABORT_PACKAGE_INSTALL_MANIFEST Languages
29852 Drop down chzn missing from end translation Languages
28616 Add French language stemmer to Smart Search Languages
29684 Wrong HTML markup on category edit Layouts
29217 *Status column missing in weblinks mobile view Layouts
29908 Allow use of text instead of icons in the login module Layouts
29865 JLayoutFile keeps rendering same layout Layouts
29776 com_media/plugin interaction Media Manager
29743 heading menu type renders bad html code Modules
29744 Submenu module missing closing A tag Modules
29710 mod_breadcrumbs: Custom separator is not applied Modules
29929 mod_custom with wrong client attribute Modules
28778 Incorrect Rendering of Breadcrumb Trail for Home Page Sub-Items Modules
29771 Inconsistent usage of module suffix at mod_menu and mod_breadcrumbs Modules
29558 Incorrect current menu item highlighting in mod_menu if ‘Base Item’ is not current. Modules
30000 Division by 0 problem in JCrypt Platform
29731 RSS feed gets corrupted when ampersand (&) or other escapable characters exist in Site Meta Description Platform
29417 sendMail automatically adds sender as replyTo Platform
25337 site on unc path, path.php removes \ for 2.5 only Platform
29197 Potential loop in JPagination Platform
29809 Callback logger wrongly named Platform
29694 Fix broken extension update Platform
30023 Faster sorting for languages Platform
30006 Add totally new classes and methods from the platform Platform
27699 Only text gets passed to content events in blog view Plugins
29871 email cloaking stripping class attribute Plugins
29469 CodeMirror looks a little bad Plugins
29665 *Cache plugin is not differentiating between Menu-Items Plugins
30031 *Notice: Undefined index: title in /plugins/content/pagebreak/pagebreak.php on line 197 Plugins
29727 Pagebreak plugin generates same ID for tabs and slides Plugins
29638 *admin dashboard statics not fully RTL RTL
29849 *RTL: Wrong display of Subcategories titles in Content Category List menu item RTL
29698 *Adding bootsrtap-rtl to compiler, correcting some rtl classes RTL
29914 *Login module wrong display in beez3 RTL RTL
29740 *HTML direction tag for Back-end login missed RTL
29954 *RTL: Wrong display of Subcategories titles in Content Category Blog and Categories menu items RTL
29621 The root asset has the wrong lft value in 3 files SQL Files
30026 *Reverting parts of tracker #29875 which breaks container-fluid class in Protostar- regression Templates
29906 *Viewing Access Levels order numbering is not shown Templates
29707 protostar pagination: active items li not closed Templates
29819 *Correcting Hathor admin login Templates
29917 *Beez3 RTL wrong display of items in category list Templates
29675 *Protostar error page tries to load search module even when module is not published Templates
30028 Ordering is not working in Beez3 article Category List Templates
29834 *Beez3 edit article wrong display Templates
29706 icon display in protostar pagination on active items Templates
29833 *Beez3 does not display Print, Mail, Edit, New icons Templates
29687 *Adapting hathor to new message using editor Templates
29907 *Protostar template does not display page break tab feature in a page. Templates
30043 *Correcting a few Hathor css issues Templates
29870 *Beez3 wrong messages display Templates
29959 *Show Create Date global article option does not work when it is the only option selected Templates
29749 *Correcting Hathor CPanel display Templates
29875 [Github #625] Protostar invalid class names for itemid, layout and task Templates
29994 Clear tooltips at template hathor Templates
29842 Display error by the contactform with IE 8 and 9 Templates
29439 Bootstrap clearfix improperly used. Templates
30015 *Isis tooltip text is always centered

Templates
29923 *Ordering in Featured Articles doesn’t work with isis administrator template User Interface
29653 *Correcting Isis media modal display User Interface
30018 *Isis calendar display issue User Interface
29363 Responsive layout during installation breaks User Interface
29654 *User Basic settings do not display when debug language on User Interface
29569 *Implementing accordeons for Modules Options User Interface
29528 Incorrect arrows in table heading. User Interface
22198 Weblinks module follow/no follow description User Interface
29210 Help page restricted to small window at top of screen User Interface

Joomla! Bug Squad

Thanks to the Joomla Bug Squad for their dedicated efforts investigating reports, fixing problems, and applying patches to Joomla. If you find a bug in Joomla, please report it on the Joomla! CMS Issue Tracker.

Active members of the Joomla Bug Squad during the past three months include: Aaron Schmitz, Akarawuth Tamrareang, Aleksander Linkov, Andrea Tarr, Andrew Eddie, Angelika Reisiger, Brian Teeman, Constantin Romankiewicz, Cristina Solana, Daria Mikhailova, Dennis Hermacki, Elin Waring, Harald Leithner, Jacob Waisner, James Brice, Jan Kuchař, Janich Rasmussen, Jean-Marie Simonet, Jonathan M. Cameron, Kevin Griffiths, Lukas Polak, Mark Dexter, Mark Lee, Michael Babker, Milton Bryant, Moises Jafet Cornelio-Vargas, Nicholas Antimisiaris, Nicholas K. Dionysopoulos, Nick Savov, Nikolai Plath, Ofer Cohen, Omar Ramos, Peter van Westen, Peter Wiseman, Rob Clayburn, Roberto Segura, Roland Dalmulder, Soheil Novinfard, Tessa Mero, Troy Thomas Hall, Viet Hoang Vu.

Bug Squad Leadership: Mark Dexter, Coordinator. Super-star contributors and leaders by example: Jean-Marie Simonet and Elin Waring.

Joomla! Security Strike Team

A big thanks to the Joomla! Security Strike Team for their ongoing work to keep Joomla secure. Members include: Airton Torres, Alan Langford, Bill Richardson, Elin Waring, Gary Brooks, Jason Kendall, Jean-Marie Simonet, Jeremy Wilken, Marijke Stuivenberg, Mark Boos, Mark Dexter, Michael Babker, Pushapraj Sharma, Rouven Weßling.

How can you help Joomla development?

The great news is you don’t have to be a developer to help build Joomla. The Joomla Bug Squad is one of the most active teams in the Joomla development process and is always looking for people (not just developers) that can help with sorting bug reports, coding patches and testing solutions. It’s a great way for increasing your working knowledge of Joomla, and also a great way to meet new people from all around the world.

If you are interested, please read about us on the Joomla Wiki and, if you wish to join, email the Bug Squad coordinator.

You can also help Joomla development by thanking those involved in the many areas of the process.

└ Tags:
 Comment 

Parallels Plesk Panel 11.0.9 MU#18

Oct09
by Ike on October 9, 2012 at 11:50 am
Posted In: Plesk, Releases

The following bug has been fixed:
[-] PCI compliance scanners are failing because Courier IMAP is not PCI compliant
[-] Parallels Premium Outbound Antispam license could not be applied due to wrong product name
[-] Russian locale has been updated

└ Tags:
 Comment 

50 queries. 9 mb Memory usage. 0.286 seconds.