CSV vulnerability explained

Title: CSV vulnerability explained
Article:

How can CSV files be affected?

Well, technically CSV files are text files - the purpose of a CSV is in its name - Comma Separated Values. The issue is actually a combination of spreadsheet software interpreting values as formulas (thus no longer treating values as plain text) and the tendency of users to ignore security prompts - or to agree to terms and conditions without scrolling through :-)


Created By: octavian
Last Modified: 15 May 2019
Categories: Development
Tags: None

Copyright

© RSJoomla.com

  2476 Hits

Joomla 3.9.6 Release

joomla-396

 Joomla 3.9.6 is now available. This is a security fix release for the 3.x series of Joomla which addresses one security vulnerability and contains over 25 bug fixes and improvements. What's in 3.9.6? Joomla 3.9.6 includes one security vulnerability fix and several bugs and improvements, including: Security Issues FixedLow Priority - Core - XS...

Continue reading

Copyright

© RSJoomla.com

  2385 Hits

JoomlaDay Chicago Oct 12 2019

joomladay-leaves-Oct12

The 2019 JoomlaDay Chicago event will be here before you know it. The event will include great sessions by knowledgeable speakers and the JoomlaDay exam. As you may have seen in our We Have a Venue post, we will be at DePaul University, this time in the Chicago Loop. Information on the venue is on our site to help you find a place to stay as well a...

Continue reading

Copyright

© RSJoomla.com

  2579 Hits

SP Page Builder Update Pro v3.4.8

sppb348-update-banner-final

​The April 10th session of JUGCN featured guest presenter, Dave Crabill discussed SP Page Builder from Joomshaper.com.  The presentation and video are available online.  Today, JoomShaper released a new version, 3.4.8 which includes WebP support to accelerate your site loading speed. Plus, several new features added to Slideshow...

Continue reading

Copyright

© RSJoomla.com

  2939 Hits

Joomla 3.9.5 Release

Joomla 3.9.5 is now available. This is a security fix release for the 3.x series of Joomla which addresses three security vulnerabilities and contains over 20 bug fixes and improvements.

What's in 3.9.5?

Joomla 3.9.5 includes three security vulnerabilities fixes and several bugs and improvements, including:

Security Issues Fixed

  • Low Priority - Core - Directory Traversal in com_media (affecting Joomla 1.5.0 through 3.9.4) More information »
  • High Priority - Core - Helpsites refresh endpoint callable for unauthenticated users (affecting Joomla 3.2.0 through 3.9.4) More information »
  • Moderate Priority - Core - Object.prototype pollution in JQuery $.extend (affecting Joomla 3.0.0 through 3.9.4) More information »

Bug fixes and Improvements

  • User Password: Add minimum lowercase rule for password validation #24230
  • Associations tab: Fix wrong behaviour of Indonesian language #24244
  • Debug language: Fix User Actions Log Manager #24178
  • New installation language: Kazakh #24233
  • Google Authenticator plugin (2FA): QR-code generator implemented #24255

Visit GitHub for the full list of bug fixes.

Download

Upgrade Packages

Upgrade Packages
Joomla 3 upgrade packages

Note: Please read the update instructions before updating.
Remember… Please clear your browser's cache after updating.
Found a bug? Report it on the Joomla Issue Tracker.
Questions? See the documentation wiki for FAQ’s regarding the 3.9.5 release.

Continue reading

Copyright

© RSJoomla.com

  2485 Hits

Kazakh Language Pack Added to Joomla! 3.9

Kazakh joins the officially released language packs for Joomla!, an award-winning Content Management System (CMS).

Read More ...

  2311 Hits

Because Open Source Matters … and Domains too!

It’s an exciting day for The Joomla Project and BRANDIT! 
As the consolidation and packaging of web services move forward, we are happy to announce the official launch of our domains platform (powered by BRANDIT), domains.joomla.org.

Every website starts with a domain name, and by offering domains directly from Joomla.org, our users gain a new way to help build their online presence whilst helping the project financially.  

Domains.joomla.org is a full domain registry service that gives Joomla a direct connection to TLD’s and Registrars. 
This partnership opens up new opportunities for sponsorship and special offers to the Joomla Community.  
As we launch the platform, two registrars have already sponsored several JoomlaDays, and BRANDIT has become a Platinum Sponsor of the Joomla Project.

Whether you are looking for a new domain name or to transfer your existing domain portfolio, domains.joomla.org is the perfect platform. Offering you a wide range of TLDs alongside a robust and intuitive industry leading control panel for domain management.  

It is that simple, get started today, together Joomla and BRANDIT make your domains feel at home!

Benefit from the special Offers for the launch!

.com

9.99€ for the first year and transfers

.club

0,99€ for the first year

.at

9.99€ for the first year

Copyright

© RSJoomla.com

  2309 Hits

How to create a Joomla! article using RSForm!Pro

Creating a Joomla! article has never been easier. RSForm!Pro's plugins portfolio has grown bigger, the Joomla! Articles plugin developed by the RSJoomla! team, as the name implies, allows your users to easily create Joomla! articles in no time at all through a simple form submission.

Copyright

© RSJoomla.com

  2287 Hits

Joomla 3.9.4 Release

Joomla 3.9.4 is now available. This is a security fix release for the 3.x series of Joomla which addresses 4 security vulnerabilities and contains 28 bug fixes and improvements.

What's in 3.9.4?

Joomla 3.9.4 includes 4 security vulnerabilities fixes and several bugs and improvements, including:

Security Issues Fixed

  • High Priority - Core - Missing ACL check in sample data plugins (affecting Joomla 3.8.0 through 3.9.3) More information »
  • Low Priority - Core - XSS in com_config JSON handler (affecting Joomla 3.2.0 through 3.9.3) More information »
  • Low Priority - Core - XSS in item_title layout (affecting Joomla 3.0.0 through 3.9.3) More information »
  • Low Priority - Core - XSS in media form field (affecting Joomla 3.0.0 through 3.9.3) More information »

Bug fixes and Improvements

  • User Terms (#23787) and Privacy Consent (#23660) plugins: Layouts for the label and message added
  • Featured articles: Page subheading added #23583
  • Custom formfield layout paths simplified #22645
  • Com_contact: Contact name field moved out of the Contact Information block #23563
  • Custom module: Improvement of the frontend editing #23741
  • Action Logs improvement: Cache (#22739) and Purge/Export (#22740) actions are now logged

Visit GitHub for the full list of bug fixes.

Download

Upgrade Packages

Upgrade Packages
Joomla 3 upgrade packages

Note: Please read the update instructions before updating.
Remember… Please clear your browser's cache after updating.
Found a bug? Report it on the Joomla Issue Tracker.
Questions? See the documentation wiki for FAQ’s regarding the 3.9.4 release.

Continue reading

Copyright

© RSJoomla.com

  2525 Hits

Joomla World Conference Nov 8-10, 2019 in London, England

jwc-2019

 Joomla World Conference (JWC) will be held in London, UK, from November 8th to 10th, 2019. The Conference will bring the brightest Joomla minds together to share their experiences, connect with others, and learn more about Joomla and its community. ​What is JWC? "Joomla! World Conference (JWC) is an annual user conference aimed at users ...

Continue reading
  2596 Hits

A Statement on the Recent Report by Check Point

A report by Check Point Research has been brought to our attention relating to a security vulnerability that was patched back in December 2015. This report has also been picked up by Threat Post.

Both reports contain a great deal of inaccuracies and intimate that the vulnerability detailed is a current one. 
This statement serves to clarify the facts surrounding this issue. Furthermore we would like to assure our user base that, much as these posts attempt to state that this is a current issue, the truth of the matter is far from that.

With this in mind, we would like to clarify a few points:

  • There is no current security issue with the JMail class.
  • The underlying issue, used to create and store the backdoor, is a PHP issue rather than a Joomla issue.
  • A successful attack is only possible with severely outdated PHP and Joomla versions that are more than 3 years out of date (PHP versions 5.4.45, 5.5.29, 5.6.13 and all higher versions are patched for this vulnerability). Please see our recent article about the importance of keeping your sites up to date here.
  • A mitigation for Joomla 1.5, 2.5 and 3 was released more than 3 years ago in December 2015. Patches for EOL versions were released alongside the Joomla 3.4.7 release. Patches for the other Joomla versions are still available here. The Joomla Project also distributed WAF rules to many shared hosting providers at the time of discovery to protect against common exploits of this vulnerability.
  • The file mentioned in Check Point's report is not a Joomla core file, it's a copy of the original class used by the attacker to obfuscate a backdoor.
  • The file does not "override" the core JMail class.

More information on the exploit

The pattern described by Check Point is a classic one - where an attacker exploits a well-known security issue. The issue is over 3 years old and stems from a security issue found in PHP, rather than the Joomla core.  More information on this issue can be found here:

By exploiting this issue an attacker can embed a backdoor in site, which can be used for malicious activity. In order to make detection as hard as possible, attackers often use copies of real application files (in this case a copy of Joomla's mailing class) to embed their exploit code. Those copies will never be used in normal application execution, so there's no "override" as claimed in the report, they simply used the file to obfuscate the actual backdoor.

Copyright

© RSJoomla.com

Tags:
  2457 Hits

Joomla 3.10 and Joomla 4.0

joomla-310-4

At the end of 2019, the Joomla Project plans to release two versions simultaneously: the minor version, Joomla 3.10 and the new major version, Joomla 4.0. Joomla 3.10 will be the last release of the 3.x series. As announced in May 2018, and due to the release of Joomla 3.9, Joomla 3.10 will be the final release of the Joomla 3.x series. J...

Continue reading
  2683 Hits

Joomla attended the CMS Security Summit at Google in Chicago

January 30th 2019 - It’s freezing cold in Chicago today and according to the news, it’s even colder than on the Mount Everest - so a perfect day to stay inside a warm building, sitting in front of your machine and having a (sorry, bad Everest joke) summit!

Read More ...

  2208 Hits

Joomla 3.9.3 Release

Joomla 3.9.3 is now available. This is a security fix release for the 3.x series of Joomla which addresses 6 security vulnerabilities and contains 30 bug fixes and improvements.

Copyright

© RSJoomla.com

  2335 Hits

Keeping your Joomla website up-to-date

As of release 3.5 Joomla is collecting stats data, thanks to the stats plugin (only works if it’s enabled), and it found too many websites are not using the currently supported release of 3.9.2. This data is based on the Joomla, PHP, and database version. These are some pretty alarming statistics, and should not be ignored! We have provided some links at the bottom of this article for your reference, review, and to even get the latest release of Joomla.

Copyright

© RSJoomla.com

  2511 Hits

JUG Dallas/Fort Worth Feb 11th Joomla 3 Template Overrides

img_joomlaDallas_FortWorth

Join the DFW (Dallas/Fort Worth, TX USA) Joomla User Group this Monday February 11 at 7pm CST (GMT-6) for a presentation on: Topic: Introduction to Joomla 3 Template OverridesMany Joomla webmasters have heard about template overrides, but don't know how to do them. They assume they need to know PHP in order to make changes to their template. Good n...

Continue reading
Tags:
jug
  3232 Hits

#PolarVortex - Stay Warm Everyone

StayWarmEveryone

Quick reminder to Midwest Joomlers to keep warm over the next few days of brutal windchills. 

  2987 Hits

Joomla 3.9.2 Release

Joomla 3.9.2 is now available. This is a security release for the 3.x series of Joomla which addresses 4 security vulnerabilities and contains over 50 bug fixes and improvements.

Copyright

© RSJoomla.com

  2325 Hits

Joomla! A Year in Review - 2018

As we countdown to 2019, we’ll be raising a glass (or two) to all our incredible volunteers who have made the leaps and bounds of 2018 possible.

Copyright

© RSJoomla.com

  2372 Hits

Joomla 3.9.1 Release

Joomla 3.9.1 is now available. This is a bug fix release for the 3.x series of Joomla including over 40 bug fixes and improvements.

 

Copyright

© RSJoomla.com

  2376 Hits