Joomla! Developer Network

There is always a great deal of Joomla! development activity underway and communicating with other developers in the community is essential. This site is a resource for anyone looking to build or maintain software based on the Joomla platform

  • Project: Joomla!
  • SubProject: framework
  • Severity: Low
  • Versions: 1.5.8 and all previous 1.5 releases
  • Exploit type: Session Hijacking/
  • Reported Date: 2008-November-20
  • Fixed Date: 2009-January-9

Description

When running a site under SSL ONLY (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie.  This can allow someone monitoring the network to find the cookie related to the session.  Please note that all data is still transferred securely.

Affected Installs

1.5.8 and lower installs which are run with SSL only (no non-ssl access).  

Solution

Upgrade to latest Joomla! version (1.5.9 or newer), and set force_ssl in global configuration. Alternatively, the php setting session.secure_cookie can be set in .htaccess or php.ini.  Joomla! (all versions) will respect this setting.

Reported By Hanno Boeck

Contact

The JSST at the Joomla! Security Center.

The Joomla! Bug Squad (JBS) is pleased to announce the addition of the new Bug Squad Co-Leader. We welcome Tobias Zulauf to the team.

Leading the JBS is a big task. The group is large and there are many tasks at hand. Combine this with a position in the Production Leadership Team (PLT), you will soon see that there are not enough hours in a day for one person. We needed to find help for Roland Dalmulder - PLT member and current JBS lead.


Our New Bug Squad Co-Leader

As was announced earlier this year, the Joomla! project is actively working toward shutting down JoomlaCode.org. In addition to assisting existing users with migrating data, we have also been busy managing our own data as well and would like to provide this update on our progress.


JoomlaCode Shutdown Update

In a reorganising of the Joomla! web properties, the PLT has decided to close down the Joomla! User Experience website (https://ux.joomla.org). This news isn’t really new news. Discussions about moving the JUX forum started in 2013 but the steps necessary to move and shut the forum down were never completed. Is the Production Leadership Team still interested in a Joomla! user’s experience? You can bet it is!


JUX is closing

Many of you may have noticed the message "Please note: Due to technical reasons we have had to disable the Install from Web Service. We are working to get it back online as soon as possible. To find extensions please use the Joomla! Extensions Directory at http://extensions.joomla.org"

Install from web


Status of the Install from Web

After an extended period of silence, the Production Leadership Team is happy to announce that we are moving forward with planning, preparing, and ultimately releasing version 2 of the Joomla! Framework. Over the last several weeks, we have begun building a roadmap and vision for the next major version of the Framework and are now ready to share with the community for review and feedback.


Framework v2 Roadmap

Joomla! CMS

Current Release 

View known Issues

Development Status

Nightly CMS builds for developers are available for download

Joomla! Framework

Joomla! Reading

Joomla! Programming

Joomla! Programming

Mark Dexter & Louis Landry
Joomla! Templates

Joomla! Templates

Angie Radtke