23 April 2010 joomla.org released the new version 1.5.16 - almost 5 months after the release of 1.5.15 - although the .15 version had no major security issues, there are some moderate security concerns:
- If a user entered a URL with a negative query limit or offset, a PHP notice would display revealing information about the system.
- The migration script in the Joomla! installer does not check the file type being uploaded. If the installation application is present, an attacker could use it to upload malicious files to a server. (It is NEVER recommended to leave the installer script on a live server)
- Session id doesn't get modified when user logs in. A remote site may be able to forward a visitor to the Joomla! site and set a specific cookie. If the user then logs in, the remote site can use that cookie to authenticate as that user.
- When a user requests a password reset, the reset tokens were stored in plain text in the database. While this is not a vulnerability in itself, it allows user accounts to be compromised if there is an extension on the site with an SQL injection vulnerability.
There are also some minor fixes in the core components of joomla, mainly:
Unfortunately there were at least three new bugs introduced with this new version, so 4 days later there was a new release 1.5.17 with these fixes:
- Fixed problem logging in when Session Handler is set to None
- Fixed error message when running Joomla! in a PHP version prior to version 5.2
- Reverted change to JFolder::makesafe method that introduced a bug
There are a few issues you have to have to take in account when updating to 1.5.17 :
- If you used an early version of the upgrade files for 1.5.16 (not the full release) you may have incorrect file permissions of 775 instead of 664 for your files. This was do to an error in the automatic packaging of those files.
How to upgrade Joomla ?
- Download the needed patch file (according to the version you want to upgrade)
- Backup your site (use Akeeba Backup or Backup from Hosting Cpanel)
- Unpack the patch file
- Overwrite all files on your FTP
- Check that your website is working correctly
Keep in mind not to overwrite the configuration.php file (it is never supplied in the package, the sample configuration is named configuration.php-dist)
Our recommendation: Upgrade sometimes in the near future, but don't rush into it. If your website is stable and you're running 1.5.15 - you should be fine for a while. Test an upgrade first on a less important website you have, see how it plays out.