Over the Labor Day weekend I managed to upload and execute arbitrary PHP code on the Joomla! Extensions Directory. That site has been patched, but the patch is not yet publicly available. As soon as it is, I'll post the dirty details of the exploit I used to hack extensions.joomla.org!

Also, please note that I was given permission to do so and nothing of any value was harmed!

UPDATE: THE JED HAS BEEN PATCHED AND IS NO LONGER VULNERABLE! This was confirmed patched BEFORE this was posted, and WAS NOT EXPLOITED PREVIOUSLY! Nothing was harmed and nothing is at risk!

JComments 2.2.0.0 suffers from a persistent XSS vulnerability in the way it handles certain BBCodes.

Since the CompojoomComment Hacking Contest is now over, and I was the only winner, I figured I'd go ahead and share my winning entries. These vulnerabilities are present in CompojoomComment 4.1.5, and are all patched in the latest (4.1.7 at the time of this writing).

I had a request recently from Woman Poker Player to add the video site LinkedTube to the list of available video providers in JomSocial. After a bit of investigation, I ended up developing a solution based on the core YouTube library (as LinkedTube is really merely a wrapper for YouTube videos). I've been given permission to post this here for the benefit of the community, and I've sent it to Azrul as well for possible inclusion in the JomSocial core.