Joomla! TinyMCE DOS
Tuesday, 05 April 2011 10:23

Back in February, I reported an issue with TinyMCE to the Joomla! Security Strike Team. Since then, they "fixed" it in 1.6.1, but failed to do so for 1.5.23. Joomla! 1.5.x ships with a script that is supposed to cache gzipped copies of TinyMCE, but not only is this script never used, but it doesn't clean up after itself.

Last Updated on Tuesday, 05 April 2011 11:15
Read more... [Joomla! TinyMCE DOS]
Joomla! 1.6.0 Multiple Minor Vulnerabilities
Tuesday, 08 March 2011 10:47

Now that 1.6.1 is officially released, I figured I'd go ahead and publish a few of the "sensitive" bugs I found in 1.6.0.

Last Updated on Tuesday, 08 March 2011 11:21
Read more... [Joomla! 1.6.0 Multiple Minor Vulnerabilities]
Joomla! JFilterInput XSS Bypass
Tuesday, 01 February 2011 09:21

Joomla! 1.5 and 1.6 rely on the JFilterInput class to sanitize user-supplied html. This class attempts to parse any given string for html code, checks the code against a whitelist of elements and attributes, and strips out any code that is not allowed. However, malformed html code can be used to bypass the filter and inject XSS code into user-supplied input.

Last Updated on Tuesday, 01 February 2011 19:02
Read more... [Joomla! JFilterInput XSS Bypass]
2010 Joomla! Security Extension Comparison
Monday, 20 December 2010 00:00

After having a couple different people ask me which Joomla! security extension I recommend, and having no real answer, I figured the best way was to simply try each one against various security risks and see which vectors are detected. This test should not be considered conclusive, and is not meant to endorse or defame any particular extension.

Read more... [2010 Joomla! Security Extension Comparison]
JMyLife 1.0.16 Released
Thursday, 02 December 2010 14:24

I'm happy to announce the availability of JMyLife 1.0.16. This release brings the ability to filter by date ranges and a new Frontend Edit mode.

Mosets Tree 2.1.6 Template Overwrite CSRF
Thursday, 18 November 2010 13:06

Moset's Tree <= 2.1.6 for Joomla! does not use anti-CSRF tokens in its admin forms.

Last Updated on Thursday, 18 November 2010 13:13
Read more... [Mosets Tree 2.1.6 Template Overwrite CSRF]
JMyLife 1.0.15 Released
Sunday, 31 October 2010 03:18

JMyLife 1.0.15 has been released. There are no new features in this release, only bug fixes.

To download an update, click on Account Maintenance in the login module and view your order - the latest release is linked at the bottom. JMyLife is set up as a complete upgrade package - no need to uninstall previous versions first!


Page 1 of 6

The Joomla!® name is used under a limited license from Open Source Matters in the United States and other countries. Jeff Channell is not affiliated with or endorsed by Open Source Matters or the Joomla!® Project.

Joomla Extensions