There is always a great deal of Joomla! development activity underway and communicating with other developers in the community is essential. This site is a resource for anyone looking to build or maintain software based on the Joomla platform

  • Project: Joomla!
  • SubProject: framework
  • Severity: Low
  • Versions: 1.5.8 and all previous 1.5 releases
  • Exploit type: Session Hijacking/
  • Reported Date: 2008-November-20
  • Fixed Date: 2009-January-9

Description

When running a site under SSL ONLY (the entire site is forced to be under ssl), Joomla! does not set the SSL flag on the cookie.  This can allow someone monitoring the network to find the cookie related to the session.  Please note that all data is still transferred securely.

Affected Installs

1.5.8 and lower installs which are run with SSL only (no non-ssl access).  

Solution

Upgrade to latest Joomla! version (1.5.9 or newer), and set force_ssl in global configuration. Alternatively, the php setting session.secure_cookie can be set in .htaccess or php.ini.  Joomla! (all versions) will respect this setting.

Contact

The JSST at the Joomla! Security Centre.

Reported By: Hanno Boeck

After feedback from the community the PLT agreed at their meeting on Sunday 1st May 2016 to release the improvements to the Joomla Update Component, containing a reinstall button and reinstating the ability to update Joomla via file upload, as soon as possible.

With our versioning policy (available at https://developer.joomla.org/news/586-joomla-development-strategy.html) this means that we must make a minor release. As a result rather than making a 3.5.2 release we will instead make a 3.6.0 release.

The features that originally were planned to ship with 3.6 (for example the refactored routing system and the custom fields component) will now be made in a 3.7 release. The timescale for the 3.7 release will be roughly unchanged and will still be led by Chris Davenport.

The full PLT minutes for this meeting will be published very soon in the usual reports section on the volunteer portal and will contain the planned release dates for 3.6.


Version Number Shifting

The Joomla UX team is conducting research to improve future versions of Joomla and we want your feedback!

The goal of this survey is to provide a general overview of Joomla users and usage. The feedback we receive will shape the direction of our process and our future research efforts. The survey is very short and simple, it should only take a minute or two of your time. The more feedback we get the more we can help our users. Please share this survey with your local Joomla communities and spread the word.

Take the survey now!


The Joomla! UX Team wants your feedback

The Joomla User Experience (JUX) Team is looking for volunteers to contribute to the JUX Team efforts. The primary goal of the JUX is to continually improve the overall Joomla User Experience across all areas of the platform.


Call For Volunteers - Joomla! UX Team

The Joomla! Production Leadership Team (PLT) is pleased to announce we are looking for members to fill particular roles. We currently have a volunteer position open for a PLT Secretary.


Call For Joomla! Production Leadership Team Nominations - Secretary

Announcing the New Developer Relations Program for Joomla!

We are thrilled to announce the launch of the new Developer Relations Team for Joomla! We'd like to take this time to invite developers to join our team as a Volunteer Developer Advocate. Together, our team will rally around one purpose: to make web development with Joomla! easier and more productive for all.


Call for Volunteers - Developer Advocates Team for the Joomla! Project