Joomla! 1.5 and 1.6 rely on the JFilterInput class to sanitize user-supplied html. This class attempts to parse any given string for html code, checks the code against a whitelist of elements and attributes, and strips out any code that is not allowed. However, malformed html code can be used to bypass the filter and inject XSS code into user-supplied input.
Thursday, 18 November 2010 13:06
Moset's Tree <= 2.1.6 for Joomla! does not use anti-CSRF tokens in its admin forms.
Last Updated on Thursday, 18 November 2010 13:13
Thursday, 07 October 2010 16:47
The guys over at YGN posted a video today of a 0-day Joomla! 1.5.20 XSS flaw. I've taken a look and have a quick fix that should prevent exploitation.
Last Updated on Thursday, 07 October 2010 22:04
Monday, 04 October 2010 19:52
Today, I threw together a site and released a new project into the wild: Biziant Sentry.
Biziant Sentry is currently in alpha and is not recommended for use on production sites! I've released this in the hopes that the community will come together and help make this project the best that it can be!
Monday, 04 October 2010 00:00
SOBI2's admin panel doesn't explicitly check for _POST requests, nor does it have a nonce.
Last Updated on Monday, 04 October 2010 13:22
The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.