14Oct Security, PHP 4 and 1.5.7
Version 1.5.7 introduced a series of confidence improvements. Because of a inlet of a issues, a rags were not introduced in to SVN until prior to long prior to recover so they usually had a couple of hours of JBS testing. Introducing them progressing would have given a bad guys report about a vulnerabilities as well as a time opening in between key as well as recover would have given them event to conflict most sites. (This is a reason you additionally ask people not to post vulnerabilities in a forums, though rsther than to visit a confidence center as well as send them to a JSST privately.)
One of a fixes addressed issues when there is a redirect. A brand brand new JURI method–isInternal($url)– was combined to residence this issue. This repair done changes to a controllers for user, content, polls as well as mailto so which they make use of a brand brand new process when redirecting. This repair relies upon a duty which is usually accessible in php 5, not php 4. As a outcome you might see problems with calm submission, login, mailto, and polls if you have PHP 4.
If you have a PHP 4 site you titillate you to refurbish to php 5. If for a little reason you can’t, supplement this to a finish of /libraries/joomla/utilities/compat/php50x.php
if(!function_exists('stripos')) { function stripos($haystack, $needle, $offset = 0) { return strpos(strtolower($haystack), strtolower($needle), $offset); } }
This repair will be practical in a normal recover of 1.5.8.
However an even improved resolution if you caring about confidence is to ascent to PHP 5. you have sites upon a series of hosts as well as a little were intensely delayed or done it formidable to get PHP 5, though given a finish of hold up upon Aug 8, they have all come around. Usually you can only contention a assistance sheet as well as a horde will take caring of it or discuss it you what to do. Since PHP 4 is no longer starting to have confidence releases, if you wish to strengthen your site you contingency switch to php 5; do not wait for for a disadvantage in PHP 4 to be discovered. As you saw with a Joomla disadvantage bound in 1.5.6, even if a hazard is bound in only a couple of hours, which is copiousness of time for book kiddies to penetrate hundreds of sites. In PHP 4′s box a obliged horde would not request an unaccepted patch. Who knows, may be it would get them eventually to upgrade? But in a meantime, your site would be vulnerable. So contention which await sheet today.
