There is always a great deal of Joomla! development activity underway and communicating with other developers in the community is essential. This site is a resource for anyone looking to build or maintain software based on the Joomla platform

  • Project: Joomla!
  • SubProject: libraries
  • Severity: High
  • Versions: 1.5.6 and all previous 1.5 releases
  • Exploit type: Brute Force
  • Reported Date: 2008-August-23
  • Fixed Date: 2008-September-9


A flaw with the random number generation exists which vastly reduces the entropy of system used random functions. This impacts system generated tokens and passwords. The fix increases entropy, and greatly reduces the chance of a generated token being guessed.

3PD Concerns

3PD extensions which use random number generation must properly seed the random numbers first (See JUserHelper::genRandomPassword() for more information on how to seed) To generate a random string, the following method is recommended: $password = JUtility::getHash( JUserHelper::genRandomPassword() );.

Affected Installs

All 1.5.x installs prior to and including 1.5.6 are affected.


Upgrade to latest Joomla! version (1.5.7 or newer).


The JSST at the Joomla! Security Centre.

Reported By: Stefan Esser

Joomla! 3.7 is still in development but we’re already thinking forward and are calling contributors for Joomla! 4. This will be an evolution of the Joomla! series with the goals of improving the user experience, improving the code quality and reducing bugs. 

Start contributing to Joomla! 4, a developers look

As news came out today that there’s a vulnerability on HTTP_PROXY infecting CGI application on PHP, Python, Go and others known as httpoxy. The Production Leadership Team and the Joomla! Project wants to raise awareness of this to it’s users.

The Joomla! core itself is not affected in any way by this vulnerability, but third party extensions using specific PHP libraries might be. As of now we have no further information on which third parties extensions may use any affected libraries, so we ask all of our users to check with their extension providers to see if their extension might be affected. The HTTP protocol is used to make requests for information on the Internet, such as to load a web page, image file, or data from a RESTful API.

More information on the vulnerability can be found at :

For example we know the Guzzle library (a very popular one) is affected, therefore it’s recommended to update the library as soon as possible. For this specific library you can find a fix on github at the following link : or via Composer.

If you are not sure what libraries are used by your Third Party extension providers, please contact them. If you see updates in the next few days from these developers, please apply them.

Joomla! raises awareness on the HTTP_PROXY vulnerability