Joomla! 1.0.11 [ Sunbird ] is now available as of Monday 28th August 2006 24:00 UTC for download here. and is being designated a Critical Security Release.All existing Joomla! users MUST UPGRADE to this version, due to several High Level vulnerabilities that affect ALL Previous versions of Joomla! 

1.0.11 contains the following critical security fixes:

• 04 High Level Security Fixes
• 04 Medium Level Security Fixes
• 18 Low Level security
• 25 General bug fixes

If you are using ANY previous version of Joomla!, you need to upgrade to 1.0.11 as soon as possible.

• 1.0.11 Download
• 1.0.11 Version Information
• 1.0.11 Changelog
• 1.0.11 Package File MD5 checksums

Project Joomla! is and has always been fully committed to a Security First Principle and new intiatives have and will continue to be started to reinforce and continue this principle.  Joomla! 1.0.11 highlights a redoubled effort to put Security at the forefront of everyones lexicon.

We are aware that currently some features on our website are not working, this is due to us making some global changes and also resetting some key passwords and accounts.  We are working hard to resolve these issues and all will be running smooth again soon.

Known issues are with:

- Ordering with ePDQ (PayPal orders get processed immediatly, ePDQ orders are charged but not delivered)

- Old Forum not working

- New forum registration not working

- All other systems are LIVE and WORKING WELL

How to turn register_globals off, components for joomla
There at least 2 ways of doing this, and your web host will probably not support or give you access to them both a good webhost would have already switched register_globals off for you.

- One way (most people cant do this)
If you have full access to your server you can locate your php.ini file and modify the value for register_globals = Off in the php.ini file, remember to restart apache afterwards.

-Another way (May work depending on the configuration of the server)
create, or edit any existing .htaccess file in the root of your webspace (in the same folder as Joomla’s configuration.php)
Add the following line to the .htaccess and save, the change is instant:

php_flag register_globals off

- Securing Joomla Further
Edit the file /globals.php and change

define( ‘RG_EMULATION’, 1 );

to

define( ‘RG_EMULATION’, 0 );

These steps will secure you a bit more and are HIGHLY recommended!

A few weeks ago we let all mosListMesseger customers know about a possible security hole in mosListMessenger.

Since then there have been no known hacks using the security hole and details of it have not been in the public domain.

Today we received information that a certain hacker is aware of the remote file inclusion available through mosLM files and is attempting to compromise Joomla sites with mosLM installed.

The hack will only be successful if:
- You have not upgraded mosLM as per our instructions
- You have register_globals = On in your php.ini (TURN IF OFF!!)
- You have not paid attention to file permissions and set some folders to writable

PLEASE MAKE SURE YOU TAKE THE ABOVE STEPS to ensure you are not hacked through mosListMessenger! - You have been warned.

Here are a few links:
http://blog.phil-taylor.com/2006/08/09/information-on-moslistmessenger-security-hardening/
http://forum.joomla.org/index.php/topic,86460.msg439707.html#msg439707

Kindest regards
Phil.

We have just received notification as follows:

The CB Core team over at joomlapolis.com has been working hard during the past 48 hours on a security release 1.0.1 of the CB suite following the discovery of a vulnerability present in 1.0 RC2 and 1.0 stable on weakly configured web-servers.

We have decided to release it as a highly-recommended critical security and stability update, as we had one report this morning and another one this afternoon for 2 sites where it got exploited to change files.

Your site needs urgent update to CB 1.0.1 if ALL of these PHP settings are met:

1. php register_globals set to ON
2. allow_url_fopen is ON 
3. no open base directory limitations set 
4. php code directories have write permissions from web-server process

CB 1.0.1 will be released in the next hours and will be available on http://www.joomlapolis.com and on the Community Builder project area on forge.joomla.org.

Everyone is urged to upgrade asap, a REAME file is included in the release as usual.

Sites with the settings above are in danger.

If you want to stop receiving future messages of this type just visit your contact info tab on your joomlapolis profile and click on the “Don’t email me critical vulnerability fixes” checkbox.

Thank you,

The CB Team on Joomlapolis.com

It is important to note that CB is not one of our products

Below is a copy of an email sent to all mosListMessenger customers on 07/19/2006 11:34

This email is being sent to all mosListMessenger Customers and relates to a possible security hole in mosLM component. As you may be aware, certain hackers are attempting to hack many Joomla websites through custom components.

mosLM is a custom Joomla Component developed by one of our partner developers (Matt Simpson) and integrated to Joomla by Phil Taylor.

We have been quick to review the components we have developed, within mosLM the original developer had already implemented an internal check that would die if the file was used through a direct url - this has provided good security.

As an additional level of security we have now implmented the Joomla check to see if the file has been included through Joomla. This will provide even better protection.

In our internal review of our components it has come to light the, under very specifc conditions, it may be possible to include nasty files using a specially crafted url to a few specific files in mosLM, which could result in your site being hacked.

We have already addressed these issues within mosLM and you can download the latest version from our site at http://www.phil-taylor.com/cc

You should upgrade your site to Joomla 1.0.10 and upgrade mosListMessenger to the latest files (No version change) as soon as practically possible.

…

You should upgrade your site to Joomla 1.0.10 and upgrade mosListMessenger to the latest files (No version change) as soon as practically possible.

As a customer of ours, we would be happy to upgrade mosListMessenger for you FOR FREE! If you would like to take us up on this offer please fill in the form at http://www.phil-taylor.com/send-request and we will action it as soon as possible.

May I stress that we have not heard of ANY successful hacking attempts through any of our components and we are working behind the scenes to ensure this continues to be the case. We are also providing good advice to other custom Joomla Component developers,

Following our internal review of the code of our partner product, mosMedia, and the recent security holes found in mosMedia we tried to contact the original developer, both by his site and by his publically available whois data and phone numbers.

We have had no luck in contacting him and therefore we are removing his product from sale on our site.

We take security of our components very serious and it would not be right to continue selling a partner product that we knew could be used to hack a website.

If you are running mosMedia 1.0.8 then we advise you to UNINSTALL it or patch it with our un-official patch ( mosMedia 1.0.8 security patch )

You can visit the offical site for mosMedia at: http://www.ag-solutions.net/

You can view more information on the security risks with mosMedia at:
http://blog.phil-taylor.com/2006/07/23/important-mosmedia-security-issues/

[This is a repost, somehow we managed to delete the old announcment from our blog :-S ]
It has come to our attention that the mosMedia Component can, under certain circumstances, allow a hacker to gain access to your website.

This email is being sent to all mosMedia Customers who purchased through www.phil-taylor.com and relates to several possible security holes in mosMedia component. As you may be aware, certain hackers are attempting to hack many Joomla websites through custom components.

We have attempted to contact the original author of the component yesterday but we have to now received no contact back from him. Phil-Taylor.com only sell this component from their site on behalf of the original developer, we are not responsible for the development, quality of the code or the support of the product.

We suspended sales of mosMedia while we tried to contact the author - we have still had no luck contacting him

As an added valuable service to those mosMedia customers who purchased through our website (www.phil-taylor.com) we are happy to release a non-official mosMedia 1.0.8 security patch to mosMedia 1.0.8 that resolves the know security issues. The patch download has been made public so other mosMedia customers who have purchased from the original author can also benefit.

Download the patch here: mosMedia 1.0.8 security patch

If you have mosMedia 1.0.8 installed you should download our mosMedia 1.0.8 security patch and FTP the files into place, the mosMedia 1.0.8 security patch file contains nested directories so you can work out where the files need to go. There is no version number change as we are not the developers of mosMedia we cannot change the version number - but mosMedia 1.0.8 security patch should prevent you getting hacked through mosMedia files.

If you wish to attempt to contact the original author please try his website at: http://www.ag-solutions.net/

We just received this from our friends at mosets.com

Hi folks,

As you may be aware, there have been an increased hacking attempts
to Joomla websites for the past few weeks mostly through custom
components. The Joomla team has released a new version 1.0.10 to
address some of these vulnerabilities. If you are running Joomla
prior to 1.0.10 you *should* upgrade to this version.

We have also perform an internal audit on Mosets Tree and discover
under certain server configuration it is possible for an attacker to
include remote files which could result in your website being
compromised.

Because of this, we have release the latest patch - 1.59 to address
this security issue. The upgrade is available here:

http://mosets.com/download/

This release also includes several bug fixes.

If you *only* want to apply the security fixes, download the upgrade
(1.5.8 - 1.5.9) and overwrite all files from this directory:

/components/com_mtree/Savant2/

to your server. This is the fastest way to fix the security issue
and applies to all version of Mosets Tree.

We encourage all our customers to upgrade to this version as soon as
possible. If you have any questions regarding this release, please do
not hesitate to contact us at support _AT_ mosets.com

Best regards,
Lee Cher Yeong

Website: http://www.Mosets.com/

Dear friends.

This email is being sent to all mosListMessenger Customers and relates to a possible security hole in mosLM component. As you may be aware, certain hackers are attempting to hack many Joomla websites through custom components.

mosLM is a custom Joomla Component developed by one of our partner developers (Matt Simpson) and integrated to Joomla by Phil Taylor.

We have been quick to review the components we have developed, within mosLM the original developer had already implemented an internal check that would die if the file was used through a direct url - this has provided good security.

As an additional level of security we have now implmented the Joomla check to see if the file has been included through Joomla. This will provide even better protection.

In our internal review of our components it has come to light the, under very specifc conditions, it may be possible to include nasty files using a specially crafted url to a few specific files in mosLM, which could result in your site being hacked.

We have already addressed these issues within mosLM and you can download the latest version from our site at http://www.phil-taylor.com/cc

You should upgrade your site to Joomla 1.0.10 and upgrade mosListMessenger to the latest files (No version change) as soon as practically possible.

As a custom of ours, we would be happy to upgrade mosListMessenger for you FOR FREE! If you would like to take us up on this offer please fill in the form at http://www.phil-taylor.com/send-request and we will action it as soon as possible.

May I stress that we have not heard of ANY successful hacking attempts through any of our components and we are working behind the scenes to ensure this continues to be the case. We are also providing good advice to other custom Joomla Component developers,

Kindest regards
Phil and the Team at Blue Flame IT Ltd.