o This should fix the http://secunia.com/advisories/33377/
vulnerability, so drop it from the TODO list
This update consisted mostly of adapting to the new set of files
and directories (and the old ones which are no longer installed),
i.e. adapting the PLIST.
Changelog:
---------------- 1.0.11 Stable Released -- [28-August-2006 20:00 UTC] ------------------
This Release Contains the following 26 Security Fixes
Joomla! utilizes the Open Web Application Security Project (OWASP) Top Ten Project to categorize security vunerabilities found within Joomla!
http://www.owasp.org/index.php/OWASP_Top_Ten_Project
--- - - - - - - - - ---
04 HIGH Level Threats fixed
A1 Unvalidated Input
* Secured mosMail() against unvalidated input
* Secured JosIsValidEmail() - in previous versions the existance of an email address somewhere in the string was sufficient
A6 Injection Flaws
* Fixed remote execution issue in PEAR.php
* Fixed Zend Hash Del Key Or Index Vulnerability
--- - - - - - - - - ---
04 MEDIUM Level Threats fixed
A1 Unvalidated Input
* globals.php not included in administrator/index.php
A2 Broken Access Control
* Added Missing defined( '_VALID_MOS' ) checks
* Limit Admin `Upload Image` from uploading below `/images/stories/` directory
* Fixed do_pdf command bypassing the user authentication
--- - - - - - - - - ---
18 LOW Level Threats fixed
A1 Unvalidated Input
* Hardened Admin `User Manager`
* Hardened poll module
* Fixed josSpoofValue function to ensure the hash is a string
A2 Broken Access Control
* Secured com_content to not allow the tasks 'emailform' and 'emailsend' if $mosConfig_hideEmail is set
* Fixed emailform com_content task bypassing the user authentication
* Limit access to Admin `Popups` functionality
A4 Cross Site Scripting
* Fixed XSS injection issue in Admin `Module Manager`
* Fixed XSS injection issue in Admin `Help`
* Fixed XSS injection issue in Search
A6 Injection Flaws
* Harden loading of globals.php by using require() instead of include_once();
* Block potential misuse of $option variable
* Block against injection issue in Admin `Upload Image`
* Secured against possible injection attacks on ->load()
* Secured against injection attack on content submissions where frontpage is selected
* Secured against possible injection attack thru mosPageNav constructor
* Secured against possible injection attack thru saveOrder functions
* Add exploit blocking rules to htaccess
* Harden ACL from possible injection attacks
-- -- -- -- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- ---- -- --
28-Aug-2006 Rey Gigataras
# SECURITY A6 [ LOW Level ]: Block potential misuse of $option variable
28-Aug-2006 Andrew Eddie
# SECURITY A6 [ LOW Level ]: Harden ACL from possible injection attacks
24-Aug-2006 Rey Gigataras
# SECURITY A6 [ LOW Level ]: Add exploit blocking rules to htaccess
# SECURITY A6 [ LOW Level ]: Harden loading of globals.php by using require() instead of include_once();
+ Installation Security Warning check
+ Admin & Installation Version age warning
23-Aug-2006 Rey Gigataras
# SECURITY A2 [ MEDIUM Level ]: Missing defined( '_VALID_MOS' ) checks
+ Admin Security Warning check
21-Aug-2006 Rey Gigataras
# SECURITY A1 [ LOW Level ]: Hardened Admin `User Manager`
19-Aug-2006 Rey Gigataras
# SECURITY A2 [ MEDIUM Level ]: Limit Admin `Upload Image` from uploading below `/images/stories/` directory
# SECURITY A2 [ LOW Level ]: Limit access to Admin `Popups` functionality
# SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Admin `Module Manager`
# SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Admin `Help`
# SECURITY A4 [ LOW Level ]: [topic,73761] : XSS injection issue in Search
# SECURITY A6 [ LOW Level ]: [topic,73761] : Block against injection issue in Admin `Upload Image`
19-Aug-2006 Enno Klasing
# SECURITY A1 [ HIGH Level ]: Secured mosMail() against unvalidated input
# SECURITY A1 [ HIGH Level ]: Secured JosIsValidEmail() - in previous versions the existance of an email address somewhere in the string was sufficient
# SECURITY A2 [ LOW Level ]: Secured com_content to not allow the tasks 'emailform' and 'emailsend' if $mosConfig_hideEmail is set
# Fixed : Empty subject in com_content mail2friend no longer possible
# Fixed : Show error message if com_content mail2friend fails
# Fixed : Show error message if com_contact mail fails
^ Moved all instances of is_email() amalgamated into JosIsValidEmail in /includes/joomla.php
18-Aug-2006 Rey Gigataras
# SECURITY A1 [ MEDIUM Level ]: globals.php not included in administrator/index.php
# SECURITY A2 [ MEDIUM Level ]: do_pdf command bypasses the user authentication
# SECURITY A2 [ LOW Level ]: emailform com_content task bypasses the user authentication
# SECURITY A1 [ LOW Level ]: harden poll module
# Fixed [topic,72209] : Mambots fired on Modules
+ enable selective disabling of `Email Cloaking` bot via {emailcloak=off}
17-Aug-2006 Rey Gigataras
+ PERFORMANCE : Cache handling expanded to com_content showItem
# Fixed [artf5266] : Blog-view shows "more..." even without intros
# Fixed [topic,81673] : frontend.php itemid issue
17-Aug-2006 Mateusz Krzeszowiec
# Fixed logging query before applying LIMIT
15-Aug-2006 Marko Schmuck
# SECURITY A6 [ LOW Level ]: possible injection attacks on ->load()
15-Aug-2006 Andrew Eddie
# SECURITY A6 [ HIGH Level ]: remote execution issue in PEAR.php
15-Aug-2006 Mateusz Krzeszowiec
# PERFORMANCE [topic,83325] : SQL LIMIT in com_content frontend
14-Aug-2006 Andrew Eddie
# SECURITY A6 [ LOW Level ]: Injection attack on content submissions where frontpage is selected
# SECURITY A6 [ LOW Level ]: possible injection attack thru mosPageNav constructor
# SECURITY A6 [ LOW Level ]: possible injection attack thru saveOrder functions
07-Aug-2006 Andrew Eddie
# SECURITY A6 [ HIGH Level ]: Zend Hash Del Key Or Index Vulnerability
# SECURITY A1 [ LOW Level ]: josSpoofValue function to ensure the hash is a string
28-July-2006 Robin Muilwijk
# Fixed [artf5291] : missing onChange javascript code for filter field
27-July-2006 Robin Muilwijk
# SECURITY A2 [ MEDIUM Level ]: [artf5335] : missing direct access line
# Fixed [artf5282] : missing table row tag and self closing tag
# Fixed [artf5297] : small html errors
17-July-2006 Robin Muilwijk
# Fixed [artf5157] : typo in media manager
# Fixed [artf5218] : duplicate entry of artf5157, typo in media manager
03-July-2006 Rey Gigataras
# Fixed [artf5181] : 5 step for unrecoverable admin-page crash.
# Fixed [artf5123] : Wrong name of function in joomla.cache.php
# Fixed [artf5126] : includes/database.php uses deprecated function
# Fixed [artf5171] : mosGetParam Default value issue
# Fixed [artf5112] : A mere mistake in the file contact.html.php
---------------- 1.0.10 Stable Released -- [26-June-2006 00:00 UTC] ------------------
This Release Contains following Security Fixes
Joomla! utilizes the Open Web Application Security Project (OWASP) web application security system to categorize security vunerabilities found within Joomla!
http://www.owasp.org/index.php/OWASP_Top_Ten_Project
03 HIGH Level Threats fixed in 1.0.10
A1 Unvalidated Input
* A1 - Secured `Remember Me` functionality against SQL injection attacks
* A1 - Secured `Related Items` module against SQL injection attacks
* A1 - Secured `Weblinks` submission against SQL injection attacks
01 MEDIUM Level Threats fixed in 1.0.10
A4 Cross Site Scripting
* A4 - Secured SEF from XSS vulnerability
05 LOW Level Threats fixed in 1.0.10
A1 Unvalidated Input
* A1 - Hardened frontend submission forms against spoofing
* A1 - Secured mosmsg from misuse
* A1 - Hardened mosgetparam by setting variable type to integer if default value is detected as numeric
A4 Cross Site Scripting
* A4 - Secured com_messages from XSS vulnerability
* A4 - Secured getUserStateFromRequest() from XSS vulnerability
-- -- --
25-June-2006 Rey Gigataras
# SECURITY A1 [ Low Level ]: mosgetparam sets variable type to integer if default value is detected as numeric
# Fixed [artf5091] : Missing closing "}" in one of PatFactory templates
# Fixed [topic,71858] : Content Archive issue when caching on
# Fixed [topic,71859] : Unable to login frontend
# Fixed [topic,67902] : SEF.php breaking community builder homepages
23-June-2006 Rey Gigataras
# SECURITY A1 [ Low Level ]: mosmsg hardened
# Fixed [artf5059] : Blog ordering, items by - most hits
# Fixed [artf4969] : Missing Itemid in readmore with multi category blog
# Fixed [artf5083] : Problem with Description/Description Image parameters of "List - Content Section"
# Fixed [topic,67719] : Email Cloaking Ads extra space after cloaked address
# Fixed [topic,66966] : E-mailing Cloaking Issue
# Fixed [topic,67141] : pathway empty when showing poll results
# Fixed [topic,67068] : Caching of Custom Heads still not working (not a full fix)
21-June-2006 Alex Kempkens
# Fixed [artf5051] : Making cache aware of different languages
! Be aware that it is now important to include all parameters, even optional once, in the cached calls.
21-June-2006 David Gal
# Fixed [topic,66858] : Can't set language
21-June-2006 Rey Gigataras
# SECURITY A4 [ Medium Level ]: XSS vulerability when using SEF
# SECURITY A4 [ Low Level ]: XSS vulerability in com_messages
# SECURITY A4 [ Low Level ]: XSS vulerability in getUserStateFromRequest()
# Fixed [artf4976] : htaccess file instructions confusing users
# Fixed [artf4917] : PHP getenv function fails in ISAPI mode
# Fixed [topic,69083] : mambots not being applied to `User` Module content
# Fixed [topic,69894] : Filter doesn't work when cache on
20-June-2006 Rey Gigataras
# Fixed [artf5025] : Category Titles with an Apostraphe leave a leading slash
# Fixed [artf4927] : blocked user receives wrong error message
# Fixed [topic,70612] : Very small text error in file sample_data.sql
# Fixed [topic,69871] : mossef notice
# Fixed [topic,68031] : Problems with banner.php
# Fixed [topic,67826] : content.html weblinks.html display issues in Opera
# Fixed [topic,67594] : Extra space in content.html.php
# Fixed [topic,67016] : ATOM 0.3 Always enable even I disable ATOM 0.3 in Administrator Panel
19-June-2006 Rey Gigataras
# SECURITY A1 [ High Level ]: `Remember Me` functionality SQL injection vulnerability
# SECURITY A1 [ High Level ]: `Related Items` module SQL injection vulnerability
# SECURITY A1 [ High Level ]: `weblinks` submission SQL injection vulnerability
# SECURITY A1 [ Low Level ]: frontend submission forms hardened against spoofing
# Fixed [artf5031] : Frontend Editing of Content Changes Start Publishing Time
# Fixed [artf4951] : author submitting content gets error message
# Fixed [artf5028] : Page navigation incorrect on pages viewed through archive module
16-June-2006 Rey Gigataras
# Fixed [artf5006] : Contact-item print button
# Fixed [artf4925] : alt="" not always output 1.0.9
# Fixed [artf4921] : anchor links break
# Fixed [artf4888] : too many columns in table layout of params
# Fixed [topic,66859] : Table views of content category in backend
# Fixed [topic,68201] : Permissions check page missing /mambots/system/
# Fixed [topic,67115] : Error warning frontend.php
# Fixed [topic,67144] : Check for status of SEF in mossef incorrectly commented out
# Fixed [topic,67279] : Voting/Rating not working when disabled globally, but enabled locally for selected items
# PERFORMANCE [topic,63468] : mod_fullmenu unnecessary count of archived items in section query
12-June-2006 Rey Gigataras
# Fixed [artf4913] : Poll Module breaks "Add Article"
# Fixed [artf4929] : Finish date not shown
# Fixed [artf4881] : Extra space in English email text string
# Fixed [topic,68467] : If 2 polls published - voiting on second poll not work
10-June-2006 Robin Muilwijk
# Fixed [topic,68168] : Typo /administrator/components/com_content/admin.content.html.php - line 478
# Fixed [topic,68168] : Typo /administrator/components/com_typedcontent/admin.typedcontent.html.php - line 266
---------------- 1.0.9 Stable Released -- [05-June-2006 16:00 UTC - Rev 3876] ------------------
This Release Contains following Security Fixes
Joomla! utilizes the Open Web Application Security Project (OWASP) web application security system to categorize security vunerabilities found within Joomla!
http://www.owasp.org/index.php/OWASP_Top_Ten_Project
12 Low Level Threats in 1.0.9
A1 Unvalidated Input
* A1 - Harden mosmsg
* A1 - Hardening of backend `User Manager` to stop 'Adminstrators' from being able to create 'Super Administrator' users
A2 Broken Access Control
* A2 - Breadcrumbs title visibility even when access restricted
* A2 - 'Edit Your Details' page now needs a published menu item to be accessible
* A2 - 'Check-In My Items' page now needs a published menu item to be accessible
* A2 - 'Submit News' page now needs a published menu item to be accessible
* A2 - 'Submit Weblink' page now needs a published menu item to be accessible
* A2 - Add ability to selectively disable certain types of syndicated feeds
* A2 - Ensure module caching does not inadvertently make special level modules visible to registered users
* A2 - Add ability to totally disable access to frontend login page
* A2 - Add ability to disable frontend user params
A3 - Broken Authentication and Session Management
* A3 - Changes to access level of user account will kill any active session for that user
--
04-June-2006 Rey Gigataras
# Fixed [artf4878] : inlegal dates in mysqll tables
# Fixed : missing content cache clearing calls
03-June-2006 Rey Gigataras
# Fixed [artf4864] : /includes/frontend.php
# Fixed [topic,66138] : Invailid Session at Admin login
# Fixed [topic,66044] : Installation checks
# Fixed [topic,66276] : admin password ="0"
# Fixed : No ability to set Cache time for Syndication modules
# Fixed : `Remember Expired Admin page` functionality changed from 600 seconds to half the `Admin Session Lifetime` value
# Fixed : Admin session purge (to limit only one active session per account) deleting frontend logged in session
03-June-2006 Robin Muilwijk
# Fixed [topic,66360] : Fatal error com_contact/contact.php
01-June-2006 Rey Gigataras
# Fixed : New Global Config params (added in 1.0.9) not created on clean install
31-May-2006 Rey Gigataras
# SECURITY A2 [ Low Level ]: New `Global Config` param to allow disabling of Frontend Login
# SECURITY A2 [ Low Level ]: New `Global Config` param to allow disabling of Frontend User params
# Fixed [artf4844] : initial setup failure on IIS when installed in subdirectory
# Fixed [topic,65009] : "Email to Friend" Can Send Unusable URLs
# Fixed [topic,65604] : Notices when adding static content
# Fixed [topic,65485] : Bug with menu item selector
# Fixed : DB error when attempting a checkin action after cancelling from creating a New item
30-May-2006 Rey Gigataras
# Fixed [topic,65381] : Override Created Date
# Fixed [artf4830] : top menu items reversed in madeyourweb template
29-May-2006 Rey Gigataras
# SECURITY A2 [ Low Level ]: [artf4752] : caching makes modules assigned to special user visible to registered users
# Fixed [artf4812] : In footer.php (C) should be (c)
# Fixed [artf4806] : typo in mambots/search/contacts.searchbot.php causes sef errors
# Fixed [artf4752] : patTemplate strip comments problems
# Fixed [artf4752] : rss.php unnecessary logic code check
# Fixed [topic,64994] : problem with related items
# Fixed [topic,64046] : adding new content Frontend fails with Authorization Error
27-May-2006 Rey Gigataras
# Fixed [topic,64308] : cache and content items on frontpage
# Fixed [topic,63824] : Notice on com_contact
# Fixed [artf4801] : inputFilter::filterTags prints unexpected text
23-May-2006 Rey Gigataras
# Fixed [topic,63674] : MySQL 5 strict mode in Admin Backend
22-May-2006 Rey Gigataras
# PERFORMANCE [topic,63468] : slow auto-login because of new MD5 calculations on whole users DB
# Fixed [topic,63446] : Category and Section
21-May-2006 Rey Gigataras
# Fixed [artf4714] : Can't add Menu Item :: Link - Static Content
# Fixed : "Unique Itemid" handling for `Link - Content Item`
# Fixed : Add "Unique Itemid" handling for `Link - Static Content`
# Fixed [artf4714] : Can't add Menu Item :: Link - Static Content
# Fixed [topic,62056] : Copyright date
20-May-2006 Rey Gigataras
# Fixed [artf4733] : Module Manager reorder via save button broken
# Fixed [artf4736] : Quotation marks in Site Name
# Fixed [topic,63257] : Notice when creating new category
18-May-2006 Rey Gigataras
# Fixed [artf4700] : pathway ampReplaces item name twice
# Fixed [artf4712] : 'type' of $mosConfig_error_reporting does not match code
+ Remember Expired Admin page functionality
17-May-2006 Rey Gigataras
# Fixed [artf4673] : setlocale
# Fixed [artf4685] : unhandled fragment identifier with core SEF enabled
# Fixed [artf4678] : Print, PDF and email buttons aren't accessible
# Fixed [topic,62124] : Hover for icons when editing content in front-end
# Fixed [topic,62165] : Canot login - admin_session_life not set
15-May-2006 Rey Gigataras
# Fixed [topic,61926] : Frontend static language text
# Fixed [topic,61971] : E-mail cloaking broken, TinyMCE `mce_href` problem
# Fixed : Frontend Content editing does not display correct publishing date/time
# Fixed : Frontend Content editing incorrect handling of 'Never' in `Finish Publishing`
# Fixed : Incorrect date/time values on `Content Items Manager` and `Static Content Manager` pages
14-May-2006 Rey Gigataras
* SECURITY A2 [ Low Level ]: add ability to selectively disable certain types of syndicated feeds
^ Upgrade to TinyMCE 2.0.6.1
# Fixed [topic,61897] : Changing any parameter for logged user returns to login screen
13-May-2006 Rey Gigataras
* SECURITY A1 [ Low Level ]: [artf4529] : User with access to administration area can easly create super administrator.
# Fixed [artf4555] : Slight Bug in registration system
# Fixed [artf4641] : Module sites with one template - modules should not show up - itemid issue
# Fixed : `Itemid=99999999` appearing in next & prev navigation links
# Fixed : `Itemid=` appearing in `Blog` links items
13-May-2006 Andrew Eddie
# Fixed [artf3302] : PatTemplate custom Functions getpage() undefined
12-May-2006 Louis Landry
# Fixed [artf4284] : database::load() resets private properties
12-May-2006 Rey Gigataras
# Fixed [topic,60970] : Finish Publishing Time not working as expected
11-May-2006 Rey Gigataras
# Fixed [artf4614] : Warning in mosCreateGUID
# Fixed [artf4619] : task=category shows unpublished items
# Fixed [artf4621] : Media manager with long filenames = no button
# Fixed [artf4613] : Sub Menu Item deletion Security Bug
# Fixed [artf4613] : Restoring menu items without a valid parent
# Fixed [topic,59258] : bug when editing user profile
# Fixed [topic,61190] : Menu Item Inconsistency
10-May-2006 Sam Moffatt
# Fixed issue with login directly after activation causing error, now redirects to index.php
09-May-2006 Rey Gigataras
# Fixed [artf4577] : saveUser in com_user has incorrect escaping for password
28-Apr-2006 Alex Kempkens
# Fixed artf : Language loading incorrect in offline mode (related to Joom!Fish language changes)
27-Apr-2006 Rey Gigataras
+ Support for restricting ability to access certain functionality for demo sites
# Fixed [artf4527] : incorrect style in function botNoEditorEditorArea
# Fixed [topic,57926] : mod_poll.php Warning
26-Apr-2006 Rey Gigataras
# Fixed [artf3912] : Pear's cache lite and safe_mode
# Fixed [artf3711] : mosemailcloak generates invalid XHTML
# Fixed [artf3251] : Wrong file count in Media Manager
# Fixed [artf3196] : com_media does not properly manage file names with simple quotes (')
25-Apr-2006 Rey Gigataras
^ PERFORMANCE [topic,54215] : MOSimage array affects edit page load time
24-Apr-2006 Rey Gigataras
* SECURITY A3 [ Low Level ]: logged in user session are not affected by changes of user account
# Fixed [artf4503] : Hardcoded text in page navigation
# Fixed [artf4473] : Bad char in search
# Fixed [artf4499] : Editing Quotated Menu Item
# Fixed [artf4472] : Creating New User system message only sends to superusers
# Fixed : Unable to 'Delete' `Super Administrator` - with check to ensure at least one active `Super Administrator` still exists
# Fixed : Unable to 'change' group of `Administrator` & `Super Administrator` - with check to ensure at least one active `Super Administrator` still exists
20-Apr-2006 Rey Gigataras
* SECURITY A3 [ Low Level ]: Allow only one session per user account in Admin Backend
+ Allow `save` and `apply` actions to be completed before logging out expired sessions
20-Apr-2006 Andrew Eddie
# Fixed slow query in com_polls
# Fixed return address errors in patErrorManager
# Fixed MySQL 5 error when saving menu items
18-Apr-2006 Rey Gigataras
+ Javascript validation checks to mod_poll
16-Apr-2006 Rey Gigataras
# Fixed [artf4424] : gethostbyaddr(): Address is not a valid IPv4 or IPv6 address
# Fixed [artf4407] : Image preview doesn't work with custom directory
# Fixed [topic,54741] : Who's Online guest count increments with RSS feed access
14-Apr-2006 Rey Gigataras
# Fixed [artf4400] : Search: Itemid in mod_search also finds trashed Itemid's
# Fixed [artf4399] : Search title in com_search is never from language file
12-Apr-2006 Rey Gigataras
# Fixed [artf4346] : $mainframe->login($username,$pwd) compatibility broken
# Fixed : `body` parameter for mailto tags
11-Apr-2006 Rey Gigataras
# Fixed [artf4340] : Itemid on menu - multiple links to same content
# Fixed : cache support for `Blog - Content Section Archive` & `Blog - Content Category Archive`
# Fixed : SEF.php incorrect handling of `mailto` & `javascript` links
# Fixed : $shownoauth default value in `configuration.php-dist`
# Fixed : `live_bookmarks` not being disbaled properly by security check;
# Fixed : admin `contact` and `weblink` ordering
08-Apr-2006 Rey Gigataras
# Fixed [topic,45136.0] : stop Cache system from creating large amount of Cache files
# Fixed [artf4302] : 'Read more' link is always displayed if 'Linked Titles' option enabled
# Fixed [artf4304] : Bugs in search.html.php
# Fixed : Content Popup page behaviour
07-Apr-2006 Rey Gigataras
# Fixed [artf4294] : InputFilter failed escaping string
# Fixed [artf4050] : mod_mainmenu.php not setting id=active_menu
06-Apr-2006 Rey Gigataras
* SECURITY A2 [ Low Level ]: check for menu item added to 'Edit Your Details' page
* SECURITY A2 [ Low Level ]: check for menu item added to 'Check-In My Items' page
* SECURITY A2 [ Low Level ]: check for menu item added to 'Submit News' page
* SECURITY A2 [ Low Level ]: check for menu item added to 'Submit Weblink' page
# Fixed [artf4282] : Extra Empty Menu Span Tags
05-Apr-2006 Rey Gigataras
# Fixed [artf4010] : When creating new module. Two modules are created when clicking save
02-Apr-2006 Rey Gigataras
# Fixed [artf3575] : Correction needed in stylesheet
# Fixed [artf4089] : Problem with domit, extended characters and PHP 5.0.2
01-Apr-2006 Rey Gigataras
# Fixed [topic,50547.0.html] : Print statement left in class.inputfilter.php
# Fixed [topic,48908.0.html] : Duplicate usernames / Length Checking
31-Mar-2006 Rey Gigataras
# Fixed [topic,46614.0.html] : mod_templatechooser not working when templates name has dashes
30-Mar-2006 Rey Gigataras
* SECURITY A1 [ Low Level ]: [artf3702] : breadcrumbs: information gathering possible by simple urlhacks
# Fixed [topic,47932.0.html] : 1.0.8 com_contact - incorrect URL?
^ Upgrade to Geshi 1.0.7.8
29-Mar-2006 Rey Gigataras
# Fixed [artf4133] : Blog - Content Section Archive
# Fixed [artf4093] : No parameter tool tip when ' is used in module.xml
# Fixed [artf4028] : url to the site is added to the entered link in a menu item (SEF disabled)
# Fixed [artf4102] : mosimage.php - Erroneous right alignment of images
# Fixed [artf4131] : com_contact displays non-localized message
^ Upgrade to TinyMCE 2.0.5.1
^ Upgrade to TinyMCE compressor 1.0.8
^ TinyMCE remove `Help` tab in help popup
^ TinyMCE 'word wrap' by default for html source mode
27-Mar-2006 Alex Kempkens
# corrcted searchbot; finding dynamic content while searching for static
# updated core-SEF support for new multilingual_content config var
24-Mar-2006 Alex Kempkens
+ Check for mambot/system directory in installer and installation dialogs
# [artf4066] content sections not being translated
16-Mar-2006 Rey Gigataras
# Fixed [artf3913] : [artf3809]: Error with < AND > in tinymce - static content manager
# Fixed : checked out lock icon visible for same user
# Fixed : Global Config JS error when no session_type value yet set - issue only when upgrading
# Fixed [topic,44206.0.html] : XML help files no longer supported
15-Mar-2006 Rey Gigataras
# Fixed [artf3927] : Typo in Installer Screen
# Fixed [artf3940] : single quotes/apostrophes (')
# Fixed [topic,46202.0.html] : Problem found in Session id function
13-Mar-2006 Rey Gigataras
^ PERFORMANCE : com_content only add call to jos_content_rating where voting option activated
12-Mar-2006 Rey Gigataras
# Fixed [topic,44117.0.html] : com_menumanager can not handle simple quotes (')
# Fixed [topic,34821.0.html] : Allow search on static contents not linked to a menu
^ PERFORMANCE : com_statistics `Search Engine Text` page, results returned off by default as highly query intensive and can cause site lockup
^ `Page Hits` into `Content` sub-menu
11-Mar-2006 Alex Kempkens
# Fixed some queries missing primary key for translations (contact, newsfeed)
11-Mar-2006 Rey Gigataras
# Fixed [artf3873] : Invalid Itemid for com_content Category Link
# Fixed [topic,45343.0.html] : Random image default behavoir
+ PERFORMANCE : Auto purge of expired messages for com_messages [default of 7 days]
10-Mar-2006 Rey Gigataras
# Fixed [artf3885] : Remove the last hardcoded texts
# Fixed [artf3713] : Joomla still doesn't work with SQL mode enabled
^ Ensure showPathway is only called once
09-Mar-2006 Rey Gigataras
# Fixed [artf3863] : mod_whosonline double ONLINE
# Fixed [topic,44644.0.html] : Miss spelled Position as Postition
# Fixed [topic,41593.0.html] : Table - content section - filter works only for the first page
08-Mar-2006 Rey Gigataras
# Fixed [artf3847] : A mistake in joomla_admin template
# Fixed [artf3748] : Archive - Access Denied
# Fixed [artf3592] : Archive Pagination Problem
# Fixed [topic,41627.0.html] : "Undefined variable: filter"
# Fixed [topic,43315.0.html] : Static text in content.php
# Fixed [topic,41466.0.html] : NullDate AND '0000-00-00 00:00:00'
^ Global define of _CURRENT_SERVER_TIME
^ sef.php optimization
07-Mar-2006 Rey Gigataras
+ Show whether Cache directory is writable where it is used - com_newsfeeds, com_syndicate, custom modules
# Fixed [artf3818] : Path error for agent_browser.php in joomla.php
# Fixed ensure all require and include calls are using absolute paths
06-Mar-2006 Rey Gigataras
# Fixed [artf3756] : mossef bot rewrites javascript:void(0) in href
# Fixed [artf3745] : includes/joomla.php on line 790 setSessionGarbageClean
# Fixed [topic,41619.0.html] : mosimage caption problem
# Fixed [topic,42023.0.html] : sample data error with Link - Static Content CID value
02-Mar-2006 Rey Gigataras
# Fixed [artf3728] : Error if change the "Syndicate" name in db table "jos_components"
# Fixed [artf3731] : mod_newsflash shows errors when no items are available
# Fixed [artf3733] : Site (frontend): url to the site is added to the entered link in a content item.
# Fixed [artf3696] : Typo Site Mambot: Edit [ TinyMCE WYSIWYG Editor ]
# Fixed [artf3658] : "New" Content Link/Image Showing With No Categories Present
# Fixed [artf3697] : sefreltoabs error with links to other sites
01-Mar-2006 Rey Gigataras
* SECURITY A1 [ Low Level ]: Harden mosmsg
# Fixed [artf3656] : contact-component, dropdown
28-Feb-2006 Rey Gigataras
# Fixed [artf3655] : Login module error
# Fixed [artf3668] : mosemailcloak bug with mailto:
# Fixed [artf3681] : invalid markup in com_content showCategories()
# Fixed [artf3688] : Hardcoded text in contact.html.php
# Fixed [artf3664] : Image links gets preceeded by "Live Site" URL after v1.0.8 upgrade
# Fixed [artf3703] : configuration.php-dist has a typo
# Fixed [topic,41404.0.html] : configuration.php-dist missing `;`
---------------- 1.0.8 Stable Released -- [26-Feb-2006 05:00 UTC] ------------------
This Release Contains following Security Fixes
Medium Level Threat
* Hardening of Remember Me login functionality
* Protect against real server path disclosure via syndication component
* Limit arbitrary file creation via syndication component
* Protect against real server path disclosure in mod_templatechooser
* Disallow `Weblink` item from being accessible when 'unpublished'
* Disallow `Polls` item from being accessible when 'unpublished'
* Disallow `Newfeeds` item from being accessible when category 'unpublished'
* Disallow `Weblinks` item from being accessible when category 'unpublished'
* Disallow `Content` item from being accessible despite section/category 'access level'
* Disallow `Newsfeed` item from being accessible despite category 'access level'
* Disallow `Weblink` item from being accessible despite category 'access level'
* Disallow `Content` item from being visible despite category 'access level' in `Content Section` view - `Blog - Content Section` & `Blog - Content Section Archive`
* Disallow `Content` items from being viewable when category/section 'unpublished' - mod_newsflash
Low Level Threat
* Harden frontend Session ID
* Harden against multiple Admin SQL Injection Vulnerabilities
* Disable ability to enter more than one email address in Contact Component contact form
* Harden Contact Component with param option to check for existance of session cookie - enabled by default
* Addiotnal check for correct Admin session name
* Disallow access to syndication functionality
* Disallow `Newsfeeds` Categories from being accessible when 'unpublished'
* Disallow `Contact` Categories from being accessible when 'unpublished'
* Disallow `Weblink` Categories from being accessible when 'unpublished'
* Disallow `Content Section` from being accessible when section 'unpublished' - `List - Content Section`
* Disallow `Content Category` from being accessible when category/section 'unpublished' - `Table - Content Category`
* Disallow `Contact` Categories from being accessible as per category 'access level'
* Disallow `Newsfeeds` Categories from being accessible as per category 'access level'
* Disallow `Weblinks` Categories from being accessible as per category 'access level'
* Disallow `Content Section` from being accessible as per section 'access level' - `List - Content Section`
* Disallow `Content Category` from being accessible as per section/category 'access level' - `Table - Content Category`
* Disallow `Content Category` from being accessible as per category 'access level' - `Blog - Content Category` & `Blog - Content Category Archive`
* Disallow `Content` item links from being visible as per category/section 'access level' - mod_newsflash, mod_latestnews, mod_mostread
* Disallow Category Search returning items despite section 'access level' & section 'state'
* Disallow Contact Search returning items despite 'access level' & category 'state'
* Disallow Content Search returning items despite section 'access level'
* Disallow Newsfeed Search returnings items despite category 'state'
* Disallow Weblink Search returning items despite category 'state'
---
25-Feb-2006 Rey Gigataras
# Fixed [topic,40568.0.html] : Conversion of & to & when editing 'new' modules, breaking xhtml compliance
# Fixed [topic,40568.0.html] : Itemid=99999999 visible when navigating polls
# Fixed artf3630 : Site name printed twice in the popup window title (print, email to friend)
^ Upgraded to TinyMCE 2.0.4
- Depreciated Admin templates - mambo_admin & mambo_admin_blue
24-Feb-2006 Rey Gigataras
* SECURITY [ Low Level ]: Add check for correct Admin session name
# Fixed HTTP_ACCEPT_ENCODING problems
# Fixed incorrect handling of external links with mossef
^ Special Flag to allow different login behaviour of site for Production vs online Demo site
23-Feb-2006 Robin Muilwijk
# Fixed [topic,39449.0.html] : typo in menu manager
23-Feb-2006 Rey Gigataras
^ Global Config session life only controls purging of frontend logged in sessions
^ Guests session separately purged at a hardcoded 900 seconds
22-Feb-2006 Rey Gigataras
# Fixed artf3591 : Error if unpublish menu item
# Fixed [topic,39295.0.html] : SEF handling of custom .htaccess reconfigured urls
# Fixed [topic,39295.0.html] : mod_login return value incorrectly returning 'index.php?' if coming from site homepage
^ Frontend Session Tracking cookie uses `Expire at End of Session`, rather than expiry by a set time to resolve issues with incorrect system clocks
21-Feb-2006 Rey Gigataras
* SECURITY [ Medium Level ]: Real server path disclosure in mod_templatechooser
# Fixed [topic,39295.0.html] : Incorrect favicon path in installer
# Fixed [topic,39295.0.html] : Admin logout does not clear/delete session being logged out
^ Remember Me Cookie amalgamated into a single cookie.
20-Feb-2006 Rey Gigataras
# Fixed [topic,39295.0.html] : error in TinyMCE 2.0.3 (toggle fullscreen mode)
20-Feb-2006 Andrew Eddie
# Fixed filelist param - would always show list entries related to images for default and do not use
19-Feb-2006 Rey Gigataras
# Fixed [topic,36462.0.html] : time check incorrectly being based on local time - rather than server time
# Fixed [topic,39103.0.html] : utf-8 encoded newsfeeds in a ISO-8559-1 site
18-Feb-2006 Rey Gigataras
# Fixed [topic,39101.0.html] : Newsfeeds do not display
^ PERFORMANCE : General query reduction work
^ PERFORMANCE : Reduce queries used by search bots to load params
^ PERFORMANCE : 'editor-xtd' bot group loaded only once - affect = reduction in queries
^ Refactored session handling code for Admin sessions
+ session.gc_maxlifetime setting for Admin Sessions
17-Feb-2006 Rey Gigataras
# Fixed artf3543 : Rev 2393 Language Manager Error
# Fixed [topic,22061.0.html] : Wrapper Autoheight ability set to off by default, as causes javascript errors when used on sites not on your domain
# Fixed [topic,30542.0.html] : MySQL 5 support in strict mode
# Fixed artf3605 : Spelling error when saving content
# Fixed artf3576 : Javascript conflict in mod_wrapper
^ PERFORMANCE : `dynamic` Itemid checks store previous query results - affect = reduction in queries
^ PERFORMANCE : `static` Itemid counters now loads only once - affect = reduction in queries
^ PERFORMANCE : 'content' bot group loaded only once instead of each time content is loaded - affect = reduction in queries
^ PERFORMANCE : individual 'content' bot query to pull params loaded only once instead of each time content is loaded - affect = reduction in queries
+ new Admin Session Life Global Config param, allowing setting of admin session idle logout time
+ query debug mode to backend
16-Feb-2006 Rey Gigataras
# Fixed artf3523 : mosemailcloak issue with mailto params
# Fixed : disable mossef bot from working on mailto links
# Fixed [topic,36637.0.html] : SEF deactivated relative & absolute url handling
# Fixed [topic,36637.0.html] : Session username not correct for those coming from `Remember Me` cookie
+ PERFORMANCE : Simple check for all bots to determine whether they should process further
^ PERFORMANCE : Reduce queries used by bots to load params - mosemailcloak, mosimage, mosloadposition, mospaging - affect = reduction in queries
^ PERFORMANCE : 'editor-xtd' bot group loaded only when needed - affect = reduction in queries
15-Feb-2006 Rey Gigataras
# Fixed artf3527 : "New" Content Link and Image Not Present When Category Empty
# Fixed [topic,36462.0.html] : Static Content Start/Finish publishing time is based on server time, not local time
# Fixed : Publisher submission message for frontend content editing/submission
14-Feb-2006 Rey Gigataras
* SECURITY [ Low Level ]: Disable ability to enter more than one email address in Contact Component contact form
# Fixed artf3144 : NULL values from SQL tables not loaded
# Fixed [topic,31769.0.html] : $access variable conflict com_content
# Fixed [topic,32201.0.html] : mod_related_items urls not xhtml compliant
# Fixed [topic,31185.0.html] : heading in pagination not working
# Fixed [topic,10947.0.html] : Add Prefix check to installer
# Fixed artf3082 : Template preview *still* not available
# Fixed artf2925 : mosGetParam has side affects
# Fixed [topic,38017.0.html] : Content -> New -> Cancel
^ Upgraded TinyMCE to 2.0.3 & TinyMCE GZip Compressor to 1.0.7
13-Feb-2006 Rey Gigataras
* SECURITY [ Medium Level ]: Hardening of Remember Me login functionality
* SECURITY [ Low Level ]: Harden Contact Component with param option to check for existance of session cookie - enabled by default
12-Feb-2006 Rey Gigataras
* SECURITY [ Low Level ]: Multiple Admin SQL Injection Vulnerabilities
* SECURITY [ Low Level ]: Category Search returns items despite section 'access level' & section 'state'
* SECURITY [ Low Level ]: Contact Search returns items despite 'access level' & category 'state'
* SECURITY [ Low Level ]: Content Search returns items despite section 'access level'
* SECURITY [ Low Level ]: Newsfeed Search returns items despite category 'state'
* SECURITY [ Low Level ]: Weblink Search returns items despite category 'state'
# Fixed artf3391 : Aphostrophes in Category: Edit
# Fixed artf3291 : Alert() problem
# Fixed artf3188 : Unnecessary table cell in contact.html.php
# Fixed artf3121 : css errors in tiny_mce and rhuk_solarflare_ii template
# Fixed artf3181 : Task routing class
# Fixed artf3400 : showCalendar does not get value of date
# Fixed artf3348 : Bold tag overrides css in mod_poll.php
# Fixed artf3120 : &and & &link not defined in admin.categories.php
# Fixed artf3446 : Problems with mosimage with caption
# Fixed artf3100 : Incorrect Response Headers for Missing Pages
# Fixed artf3220 : Search bug: No way to update referenced search component
# Fixed artf3438 : RSS Feed Created it not base on the same encoding of the content
# Fixed artf3108 : Joomla 1.0.7 core SEF bug gives 404 on homepage
# Fixed artf3169 : RSS feeds does not work with SEF disabled
11-Feb-2006 Rey Gigataras
* SECURITY [ Medium Level ]: Protect against real server path disclosure via syndication component
* SECURITY [ Medium Level ]: Limit arbitrary file creation via syndication component
# Fixed artf3397 : link to menu and loss of images list
# Fixed artf3109 : 1.0.7 "The XML page cannot be displayed ERROR" ob_gzhandler issue
# Fixed artf3447 : TinyMCE and relative urls
# Fixed artf3183 : Sub-menu items of separators not showing in module menu selection list
# Fixed artf3103 : $mosConfig_cachepath not used everywhere
# Fixed artf3114 : mod_related_items outputs nothing
# Fixed artf3234 : mod_related_items unitialized mosConfig_offset variable
# Fixed artf3402 : Missing param in module
# Fixed artf3067 : Reopen: Unhandled fragment identifier with core SEF enabled
# Fixed [topic,31813.0.html] : new .htaccess gives proper 404s [Steve Graham]
+ Disable session.use_trans_sid to .htaccess
10-Feb-2006 Rey Gigataras
* SECURITY [ Low Level ]: Harden frontend Session ID
# Fixed artf3421 : Session cleanup relies on administrator login
# Fixed artf3307 : Error in code - non critical, but logout setcookie not working
# Fixed artf3126 : Short open PHP tag in pathway.php
# Fixed artf3126 : artf3413 : small problem with variable in xml_domit_lite_parser.php
# Fixed [topic,34620.0.html] : Excessive Joomla Sessions, and AOL Login Problem [Steve Graham]
# Fixed mosWarning() $title error
+ New Session Type Global Config param
08-Feb-2006 Rey Gigataras
* SECURITY [ Medium Level ]: # Fixed : `Content` items viewable when category/section 'unpublished' - mod_newsflash
* SECURITY [ Low Level ]: # Fixed : `Content` item links visible despite category/section 'access level' - mod_newsflash, mod_latestnews, mod_mostread
# Fixed artf3393 : Latestnews doesn't show static content
07-Feb-2006 Robin Muilwijk
# Fixed artf3328, 1.0.7 EN Installation Typo - Step 1
# Fixed artf3401 : Spelling errors in two modules
31-Jan-2006 Rey Gigataras
+ Additional Contact Component hardening
30-Jan-2006 Rey Gigataras
* SECURITY [ Medium Level ]: # Fixed : `Content` item accessible despite section/category 'access level'
* SECURITY [ Medium Level ]: # Fixed : `Content Section` view `Content` items visible despite category 'access level' - `Blog - Content Section` & `Blog - Content Section Archive`
* SECURITY [ Medium Level ]: # Fixed : `Newsfeed` item accessible despite category 'access level'
* SECURITY [ Medium Level ]: # Fixed : `Weblink` item accessible despite category 'access level'
* SECURITY [ Low Level ]: # Fixed : `Contact` Categories accessible despite category 'access level'
* SECURITY [ Low Level ]: # Fixed : `Newsfeeds` Categories accessible despite category 'access level'
* SECURITY [ Low Level ]: # Fixed : `Weblinks` Categories accessible despite category 'access level'
* SECURITY [ Low Level ]: # Fixed : `Content Category` view accessible despite section/category 'access level' - `Table - Content Category`
* SECURITY [ Low Level ]: # Fixed : `Content Category` view accessible despite category 'access level' - `Blog - Content Category` & `Blog - Content Category Archive`
* SECURITY [ Low Level ]: # Fixed : `Content Section` view accessible despite section 'access level' - `Table - Content Section`
^ Contact Items display Authorization block text if category 'access level' denies access
^ Blog pages display Authorization block text if section/category 'access level' denies access
29-Jan-2006 Rey Gigataras
* SECURITY [ Medium Level ]: # Fixed : `Weblinks` item accessible when category 'unpublished'
^ Blog pages display Authorization block text if section/category being unpublished
25-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: # Fixed : No way to disable access to syndication functionality
17-Jan-2006 Rey Gigataras
* SECURITY [ Medium Level ]: # Fixed : `Weblink` item accessible when 'unpublished'
* SECURITY [ Medium Level ]: # Fixed : `Polls` item accessible when 'unpublished'
* SECURITY [ Medium Level ]: # Fixed : `Newfeeds` item accessible when category 'unpublished'
* SECURITY [ Low Level ]: # Fixed : 'unpublished' `Newfeeds` Categories accessible
* SECURITY [ Low Level ]: # Fixed : 'unpublished' `Contact` Categories accessible
* SECURITY [ Low Level ]: # Fixed : 'unpublished' `Weblink` Categories accessible
* SECURITY [ Low Level ]: # Fixed : `Content Section` accessible when section 'unpublished' - `List - Content Section`
* SECURITY [ Low Level ]: # Fixed : `Content Category` view accessible when category/section 'unpublished' - `Table - Content Category`
---------------- 1.0.7 Released -- [15-Jan-2006 21:00 UTC] ------------------
15-Jan-2006 Rey Gigataras
# Fixed : database password being incorrectly overwritten with a blank
---------------- 1.0.6 Released -- [15-Jan-2006 15:00 UTC] ------------------
This Release Contains following Security Fixes
Low Level Threat
* Disallow Author from publishing items or changing publish state
* Hardened Contact Component against misuse
* Added simple filtering control ability to Contact Component
* Hardened misuse of Contact Component `email copy` ability when not activated
* Hardened misuse of Contact Component `VCard` ability when not activated
* `VCard` & `Email Copy` options set to hide by default
* Multiple Vulnerabilities in TinyMCE Compressor
* Hardened Itemid against misuse
* Hide database password in Global Configuration
---
15-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: Hide database password in Global Configuration
# Fixed artf3064 : Warning: Invalid argument supplied mod_fullmenu Line 57
# Fixed artf3063 : Poll Component Output Display Error
14-Jan-2006 Louis Landry
# Fixed Caching `Blog` pagination problem
14-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: disallow Author from publishing items or changing publish state
[identified Max Dymond]
# Fixed artf3055 : Weblink submit, no email to admin
# Fixed artf3045 : Unhandled fragment identifier with core SEF enabled
# Fixed artf3032 : 1783: Can't get custom CSS in Tiny MCE
# Fixed artf3052 : Contact Component Re-Direct Issue
# Fixed artf3043 : Login & Logout redirecting to $mosConfig_live_site
# Fixed artf3040 : Site Modules | Display can be duplicated on Pages
# Fixed problem with display mod_rssfeed twice on a page
^ Contact Component confirmation now uses mosredireect msg, rather than JS
13-Jan-2005 Andrew Eddie
# Fixed bug in database::loadRowList that reutrn assoc and not numerical array
# Fixed bug in index2.php where joomlajavascript.js is not included
13-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: + simple filter check to Contact Component
# Fixed artf3038 : Warning: array_search(): Wrong datatype for second argument in
# Fixed artf3037 : New 404 tags aren't translated
# Fixed artf3035 : Bug with mod_newsflash
12-Jan-2006 Alex Kempkens
# Fixed mosFormateDate, handling offset's with value 0
12-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: changed `Email Copy` param option for new Contacts now set to `hide`
# Fixed artf2070 : mosHTML:encoding_converter() breaks with o"
# Fixed missing <li> tag in newsfeed component
# Fixed artf1487 : Media Manager breaks when illegal characters in uploaded file name
# Fixed artf2108 : Saving a parent inside of a child
+ caching support to `Frontpage` component
+ missing param for `Table - Weblink Category`
- sef handling in mod_search.php as SEF
- unnecessary `checked out` check in mod_latestnews.php and mod_mostread.php
- unnecessary param variable in mod_latestnews.php
10-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: Fixed artf2386 : Preventing Spambots through com_contact
# Fixed artf2622 : admin.users.php session_start called when a session is already open
# Fixed artf2789 : invalid xhtml
# Fixed artf2989 : User WYSIWYG editor setting resets after adding new user from backend
# Fixed artf2986 : Wrong link to image-icon in weblinks
08-Jan-2006 Johan Janssens
* SECURITY [ Low Level ]: Fixed Security Vulnerability in TinyMCE Compressor
08-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: Fixed artf2950 : Information leak with Vcard hide function
* SECURITY [ Low Level ]: changed `VCard` param option for new Contacts now set to `hide`
# Fixed DOMIT bugs [identified by sarahk]
http://sarahk.pcpropertymanager.com/blog/using-domit-rss/225/
# Fixed artf2793 : New user confirmation link warning on login
# Fixed artf2732 : Pagination in the Blog section/category doesnt work
# Fixed artf2943 : Incorrect Redirect for Weblinks
# Fixed artf2945 : Undefined constant in php_http_exceptions.php
07-Jan-2006 Rey Gigataras
# Fixed artf2933 : Pathway problem on Windows
06-Jan-2006 Rey Gigataras
^ changed mod_archive so that no Itemid is assigned, meaning it uses the default Itemid=99999999
# Fixed artf2738 : Incorrect SEF links for archive com_content links
# Fixed artf1809 : mospagebreak problem with "Special Characters"
# Fixed artf2861 : article_seperator glitch
05-Jan-2006 Rey Gigataras
# Fixed artf2825 : RSS module SEF urls
04-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: Fixed artf2050 : Itemid in index2.php
# Fixed Related items Module shows Expired items - Mambo Tracker [#7590]
# Fixed artf2185 : Changing weblinks possible for everyone
03-Jan-2006 Andy Miller
^ Updated copyright information for iCandy Junior icons
03-Jan-2005 Rey Gigataras
# Fixed XHTML validation error in `Blog` view with decmimal value widths
# Fixed XHTML validation error in `Table - Content Category`
# Fixed artf2791 : RSS item links not SEF'd
# Fixed artf2791 : RSS items have no category
# Fixed artf2813 : Media Manager doesn't support ICO files
02-Jan-2006 Rey Gigataras
# Fixed artf2802 : All content made bold for Rss module published on the frontpage
# Fixed artf2780 : Newsflash Read More bad link
# Fixed artf2786 : Newsflash module not picking up "linked title" global setting
# Fixed artf2810 : 1.0.x changelog incorrectly states release date of 1.0.5
30-Dec-2005 Rey Gigataras
# Fixed `Unlimited` banner impressions option
# Fixed artf2776 : Multiple banners not possible
# Fixed artf2788 : admin template css errors
29-Dec-2005 Rey Gigataras
# Fixed artf2646 : name="" not valid XHTML
# Fixed artf2747 : title_alias is missing in mambots
# Fixed `Reset Clicks` button not working in admin component `Banner Manager`
# Fixed artf2712 : Clicks reset on save
29-Dec-2005 Andrew Eddie
^ SEF error handling throws to new /templates/404.php file
# Rolled back changes to database::insertObject
+ New prototype MySQL 5 driver
24-Dec-2005 Emir Sakic
# Fixed a bug with 404 header being returned for homepage when SEF activated
# Fixed a bug with all items on frontpage returning Itemid=1 (duplicate content)
Low Level Threat
* Disallow Author from publishing items or changing publish state
* Hardened Contact Component against misuse
* Added simple filtering control ability to Contact Component
* Hardened misuse of Contact Component `email copy` ability when not activated
* Hardened misuse of Contact Component `VCard` ability when not activated
* `VCard` & `Email Copy` options set to hide by default
* Multiple Vulnerabilities in TinyMCE Compressor
* Hardened Itemid against misuse
* Hide database password in Global Configuration
---
15-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: Hide database password in Global Configuration
# Fixed artf3064 : Warning: Invalid argument supplied mod_fullmenu Line 57
# Fixed artf3063 : Poll Component Output Display Error
14-Jan-2006 Louis Landry
# Fixed Caching `Blog` pagination problem
14-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: disallow Author from publishing items or changing publish state [identified Max Dymond]
# Fixed artf3055 : Weblink submit, no email to admin
# Fixed artf3045 : Unhandled fragment identifier with core SEF enabled
# Fixed artf3032 : 1783: Can't get custom CSS in Tiny MCE
# Fixed artf3052 : Contact Component Re-Direct Issue
# Fixed artf3043 : Login & Logout redirecting to $mosConfig_live_site
# Fixed artf3040 : Site Modules | Display can be duplicated on Pages
# Fixed problem with display mod_rssfeed twice on a page
^ Contact Component confirmation now uses mosredireect msg, rather than JS
13-Jan-2005 Andrew Eddie
# Fixed bug in database::loadRowList that reutrn assoc and not numerical array
# Fixed bug in index2.php where joomlajavascript.js is not included
13-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: + simple filter check to Contact Component
# Fixed artf3038 : Warning: array_search(): Wrong datatype for second argument in
# Fixed artf3037 : New 404 tags aren't translated
# Fixed artf3035 : Bug with mod_newsflash
12-Jan-2006 Alex Kempkens
# Fixed mosFormateDate, handling offset's with value 0
12-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: changed `Email Copy` param option for new Contacts now set to `hide`
# Fixed artf2070 : mosHTML:encoding_converter() breaks with o"
# Fixed missing <li> tag in newsfeed component
# Fixed artf1487 : Media Manager breaks when illegal characters in uploaded file name
# Fixed artf2108 : Saving a parent inside of a child
+ caching support to `Frontpage` component
+ missing param for `Table - Weblink Category`
- sef handling in mod_search.php as SEF
- unnecessary `checked out` check in mod_latestnews.php and mod_mostread.php
- unnecessary param variable in mod_latestnews.php
10-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: Fixed artf2386 : Preventing Spambots through com_contact
# Fixed artf2622 : admin.users.php session_start called when a session is already open
# Fixed artf2789 : invalid xhtml
# Fixed artf2989 : User WYSIWYG editor setting resets after adding new user from backend
# Fixed artf2986 : Wrong link to image-icon in weblinks
08-Jan-2006 Johan Janssens
* SECURITY [ Low Level ]: Fixed Security Vulnerability in TinyMCE Compressor
08-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: Fixed artf2950 : Information leak with Vcard hide function
* SECURITY [ Low Level ]: changed `VCard` param option for new Contacts now set to `hide`
# Fixed DOMIT bugs [identified by sarahk] http://sarahk.pcpropertymanager.com/blog/using-domit-rss/225/
# Fixed artf2793 : New user confirmation link warning on login
# Fixed artf2732 : Pagination in the Blog section/category doesnt work
# Fixed artf2943 : Incorrect Redirect for Weblinks
# Fixed artf2945 : Undefined constant in php_http_exceptions.php
07-Jan-2006 Rey Gigataras
# Fixed artf2933 : Pathway problem on Windows
06-Jan-2006 Rey Gigataras
^ changed mod_archive so that no Itemid is assigned, meaning it uses the default Itemid=99999999
# Fixed artf2738 : Incorrect SEF links for archive com_content links
# Fixed artf1809 : mospagebreak problem with "Special Characters"
# Fixed artf2861 : article_seperator glitch
05-Jan-2006 Rey Gigataras
# Fixed artf2825 : RSS module SEF urls
04-Jan-2006 Rey Gigataras
* SECURITY [ Low Level ]: Fixed artf2050 : Itemid in index2.php
# Fixed Related items Module shows Expired items - Mambo Tracker [#7590]
# Fixed artf2185 : Changing weblinks possible for everyone
03-Jan-2006 Andy Miller
^ Updated copyright information for iCandy Junior icons
03-Jan-2005 Rey Gigataras
# Fixed XHTML validation error in `Blog` view with decmimal value widths
# Fixed XHTML validation error in `Table - Content Category`
# Fixed artf2791 : RSS item links not SEF'd
# Fixed artf2791 : RSS items have no category
# Fixed artf2813 : Media Manager doesn't support ICO files
02-Jan-2006 Rey Gigataras
# Fixed artf2802 : All content made bold for Rss module published on the frontpage
# Fixed artf2780 : Newsflash Read More bad link
# Fixed artf2786 : Newsflash module not picking up "linked title" global setting
# Fixed artf2810 : 1.0.x changelog incorrectly states release date of 1.0.5
30-Dec-2005 Rey Gigataras
# Fixed `Unlimited` banner impressions option
# Fixed artf2776 : Multiple banners not possible
# Fixed artf2788 : admin template css errors
29-Dec-2005 Rey Gigataras
# Fixed artf2646 : name="" not valid XHTML
# Fixed artf2747 : title_alias is missing in mambots
# Fixed `Reset Clicks` button not working in admin component `Banner Manager`
# Fixed artf2712 : Clicks reset on save
29-Dec-2005 Andrew Eddie
^ SEF error handling throws to new /templates/404.php file
# Rolled back changes to database::insertObject
+ New prototype MySQL 5 driver
24-Dec-2005 Emir Sakic
# Fixed a bug with 404 header being returned for homepage when SEF activated
# Fixed a bug with all items on frontpage returning Itemid=1 (duplicate content)
21-Dec-2005 Andrew Eddie
# Fixed slow query in com_content (Author text in a content item is now set to Written By)
# Fixed bug in backend poll entry with ' is in option name
# Fixed bug where content modified date is not updated on a bluck publish/archive operation
+ Added TEMPLATEURL to patTemplate preloaded variables
^ patTemplate Translate now recognises 1.0 version language constants
20-Dec-2005 Emir Sakic
# Fixed artf2432 : Apostrophe in paths isn't escaped properly
20-Dec-2005 Johan Janssens
# Fixed artf2389 : gzip compression not operational
# Fixed artf2599 : loosing Itemid afet submitting "ask for new password"
# Fixed artf1712 : Search Mambots return duplicate results
# Fixed artf2534 : Template chooser no longer able to manage SEF urls / XHTML validation
# Fixed artf1410 : 'Special' access menu locks out 'public' menu's articles "read more" content
# Fixed artf2595 : Deleted "mass mail" item menu in component menu
# Fixed artf2518 : mod_latestnews problem
# Fixed artf2591 : mosMakePath problem with mkdir on strato
# Fixed artf2665 : Most Read module generates incorrect class for <li> statement
# Fixed artf2666 : Pagination Error in Category Manager
# Fixed artf2407 : parameter type=mos_category show only "- Select Content Category -"
16-Dec-2005 Andy Miller
# Fixed mod_whosonline not rendering list properly
07-Dec-2005 Andrew Eddie
+ Added database::getAffectedRows to db connectors
10-Dec-2005 Emir Sakic
# Fixed artf2517 : "Cancel" the editing of content after "apply" not possible
09-Dec-2005 Emir Sakic
# Fixed artf2324 : SEF for components assumes option is always first part of query
# Fixed artf1955 : Search results bug
07-Dec-2005 Andrew Eddie
# Fixed unitialised array in mosHTML::MenuSelect method
+ Added mosBackTrace debugging function
# Fixed bug in mosDBTable::load where null table values don't overwrite properly
07-Dec-2005 Johan Janssens
# Fixed artf2430 : invalid values in tabpane.css
# Fixed artf2457 : VCard bug IS a bug
# Fixed artf2218 : RSS Newsfeed module generates wrong rendering output
# Fixed artf2453 : Random Image Module
# Fixed artf2251 : Poll title error
# Fixed artf2393 : Original editor cannot open content item if checked out
# Fixed artf2323 : overlib_hideform_mini.js parse error
# Fixed artf2248 : Incorrect hits count on multipage articles
# Fixed artf2342 : getBlogCategoryCount
# Fixed artf2464 : Contacts Component image path error
# Fixed artf2404 : Contact detail html bug
^ Replaced install.png with transparent image - contributed by joomlashack
# Fixed artf2245 : RSS not showing enclosure tags
# Fixed artf2247 : RSS newsfeed on Frontend missing link
# Fixed bug in Domit lite parser
# Fixed mosMail() is missing "ReplyTo:" field to avoid anti-spam rules (SPF)
# Fixed Small typo in mosBindArrayToObject
06-Dec-2005 Alex Kempkens
# Fixed artf2434: Typo in database.php checkout function line 1050
# Fixed artf2398 : Parameter Text Area field name
06-Dec-2005 Johan Janssens
# Fixed artf2418 : Banners Client Manager Next Page Issue: Joomla 1.04
# Fixed artf2156 : memory exhastion error in joomla.xml.php
# Fixed artf2378 : mosCommonHTML::CheckedOutProcessing not checking if the current user
has checked out the document
# Fixed artf1948 : Pagination problem still exists
^ Upgraded TinyMCE Compressor [1.0.4]
^ Upgraded TinyMCE [2.0.1]
01-Dec-2005 Andrew Eddie
# Fixed nullDate error in mosDBTable::checkin method
# Removed $migrate global in mosDBTable::store method
# Fixed some MySQL 5 issues (still very unreliable)
+ Component may force frontend application to include joomla.javascript.js by:
$mainframe->set( 'joomlaJavascript', 1 );
01-Dec-2005 Andrew Eddie
# Fixed limit error in sections search bot
# Bug in gacl_api::add_group query [c/o Mambo bug #8199]
# Search highlighting fails when a "?" is entered [c/o Mambo bug #8260]
30-Nov-2005 Emir Sakic
+ Added 404 handling for missing content and components
+ Added 404 handling to SEF for unknown files
30-Nov-2005 Andrew Eddie
# Site templates allowed to have custom index2.php (fixes problems where custom code is required in index2)
29-Nov-2005 Andrew Eddie
# Fixed artf2258 : Parameter tooltips missing in 1.0.4
28-Nov-2005 Andrew Eddie
# Fixed artf2329 : mosMainFrame::getBasePath refers to non-existant JFile class.
# Fixed artf2246 : Error in frontend.html.php
# Fixed artf2190 : mod_poll.php modification
# Fixed artf2292 : [WITH FIX] Sql query missing hits
24-Nov-2005 Emir Sakic
# Fixed artf2225 : Email / Print redirects to homepage
# Fixed artf1705 : Not same URL for same item : duplicate content
23-Nov-2005 Johan Janssens
# Fixed : Content Finish Publishing & not authorized
22-Nov-2005 Marko Schmuck
# Fixed artf2240 : 1.0.4 URL encoding entire frontend?
# Fixed artf2222 : ampReplace in content.html.php
+ Versioncheck for new_link parameter for mysql_connect.
22-Nov-2005 Levis Bisson
# Fixed artf2221 : 1.0.4: includes/database.php faulty on PHP < 4.2.0
# Fixed artf2219 : Bug in pageNavigation.php - added "if not define _PN_LT or _PN_RT"
22-Nov-2005 Johan Janssens
# Fixed artf2224 : Problem with Media Manager
# Fixed : Can't create new folders in media manager
Management Systems on the planet. It is used all over
the world for everything from simple websites to complex
corporate applications. Joomla! is easy to install,
simple to manage, and reliable.
