Four vulnerabilities in Joomla eliminated
Joomla 1.5.7 "Wovusani" has been released by the Joomla developers, closing four security problems. According to the Joomla Security Centre, the most critical flaw was a hole in JRequest, where variables set with
JRequest::setVar were not sanitised when being retrieved later. They also listed a high severity issue with the random number generation within Joomla, which made it easier for a brute force attack to guess generated tokens and passwords.
Two low severity flaws were also fixed, one which allowed unvalidated URLs to be passed to the mailto component and another which allowed unvalidated URLs to be used in redirection. The Joomla developers recommend upgrading to Joomla 1.5.7, which also fixes a number of non-security bugs.
- Joomla 1.5.7 Security Release Now Available, Joomla release announcemnt
- Latest Security News, Joomla Security Center