Joomla! 2.5.x/3.5.0 XSS
Monday, 06 June 2016 02:06

Joomla! versions before 3.5.0, including the 2.5.x series (likely all the way back to 1.6.0, no regression testing done) are vulnerable to reflective XSS:

Last Updated on Monday, 06 June 2016 02:20
Read more... [Joomla! 2.5.x/3.5.0 XSS]
Whatever Happened To Jeff Channell?
Wednesday, 03 February 2016 20:14

Howdy folks...

It's been a long, long time since I've made any sort of updates here. Too long. Years.

A lot has happened in the past few years. Some of you know the whole story, some only bits and pieces, and the majority of you probably think I got hit by a bus or something.

Last Updated on Wednesday, 03 February 2016 21:01
Read more... [Whatever Happened To Jeff Channell?]
Privately Public
Monday, 30 April 2012 02:50

This is a message that's privately public. If there's the slightest chance you're offended by profanity, please don't bother clicking "Read More," as what follows may be too vulgar for your senses. That said, bring on the poetry/freeform rant...

Read more... [Privately Public]
Joomla! 1.6/1.7/2.5 Privilege Escalation Vulnerability
Thursday, 15 March 2012 14:47

Joomla! 1.6.x/1.7.x/2.5.0-2.5.2 suffers from a privilege escalation vulnerability that allows users to be registered into any group not having 'core.admin' privileges.

Last Updated on Thursday, 15 March 2012 15:01
Read more... [Joomla! 1.6/1.7/2.5 Privilege Escalation Vulnerability]
Joomla! Remember Me Cookie Encryption Issues
Wednesday, 28 September 2011 23:11

There is a serious problem with the way Joomla! handles the "remember me" login cookie. It is possible to decrypt the contents of this cookie and alter the serialized data inside, which could possibly lead to exploitation. Versions 1.5 through 1.7.1 are affected.

Last Updated on Monday, 17 October 2011 13:00
Read more... [Joomla! Remember Me Cookie Encryption Issues]
Joomla! TinyMCE DOS
Tuesday, 05 April 2011 10:23

Back in February, I reported an issue with TinyMCE to the Joomla! Security Strike Team. Since then, they "fixed" it in 1.6.1, but failed to do so for 1.5.23. Joomla! 1.5.x ships with a script that is supposed to cache gzipped copies of TinyMCE, but not only is this script never used, but it doesn't clean up after itself.

Last Updated on Tuesday, 05 April 2011 11:15
Read more... [Joomla! TinyMCE DOS]
Joomla! 1.6.0 Multiple Minor Vulnerabilities
Tuesday, 08 March 2011 10:47

Now that 1.6.1 is officially released, I figured I'd go ahead and publish a few of the "sensitive" bugs I found in 1.6.0.

Last Updated on Tuesday, 08 March 2011 11:21
Read more... [Joomla! 1.6.0 Multiple Minor Vulnerabilities]

Page 1 of 6

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Joomla Extensions