As demonstrated last week with the release of Joomla 2.5.3, security issues can arise unexpectedly in the world of open source software.

Thus, it is hard to overstate the importance of keeping your web site updated with the latest version of Joomla and all the extensions you may have installed.

It is not surprising then that updates in Joomla 2.5 have become fast and easy within a built-in upgrade system.

Updating most extensions is a simple a matter of downloading the latest version and applying it in the Joomla installer.

These are great workflows for any web developer using Joomla and to be effective, one must ensure to be properly notified when new versions of Joomla and Joomla extensions are released.

Be notified — Joomla

To help with this process, we have created a newsletter that is used ONLY to announce when a new version of Joomla is available.

On Thursday the Joomla project released version 2.5.3 to patch two serious security vulnerabilities affecting Joomla 2.5.2 and all earlier versions including Joomla 1.6 and 1.7.

It is CRITICAL that all Joomla instances — version 1.6, 1.7 and 2.5 — upgrade immediately to version 2.5.3.

Anything Digital is proud to recognize Jeff Channell — our very own Senior Developer — for identifying one of the vulnerabilities on Monday and reporting it to the Joomla Security Strike Team who acted quickly to release the update.

Spambots and e-mail harvesters are an important tool for the spamming community as collecting e-mail addresses from web sites provides a ‘market’ for all that junk you get in your spam folder and often in your inbox.

Like any good content management system or blog, Joomla protects any e-mail addresses in your site content by using javascript to encode the emails in source code of your site. This prevent the harvesters from recognizing them as an e-mail address but allows the end-user to click the e-mail address on your site and trigger your default mail client to start composing a new message with the 'To:' field pre-populated.

The email cloaking feature is delivered via the aptly-named ‘Email cloaking’ plugin which makes protecting your email address available to 3rd party extensions such as JCal Pro® that support content plugins.  However, I have had to disable this plugin in the past on some sites as end-users would sometimes report the following error when they clicked on some e-mail links

This e-mail address is being protected from spambots. You need JavaScript enabled to view it.

Implemented in Internet Explorer 4 as a technique to improve the end user experience1, ‘MIME sniffing’ or MIME type detection helps the browser determine file formats on the web such as text, HTML, and audio/video2. However, when IE detects a conflict while MIME sniffing (i.e. it encounters an image that is really a script) potential vulnerabilities arise:

[An] image that seems harmless at first glance may actually be dangerous if it begins with some HTML code, because Internet Explorer will then execute that code. This gives an attacker an opportunity to embed JavaScript in images and exploit the attack vector to execute cross-site scripting [(XSS)] attacks. [source]

If your web site contains this type of “cloaked” file, then malicious code can be triggered when someone views your site. With the expansion of so much user-generated content these days, and the slow adoption of IE8 (which is not vulnerable to this exploit), the MIME sniffing feature has actually become a serious liability as users have increasing access to placing files (and images in particular) on web servers. 

As a software developer, one way in which we promote our products if through affiliate marketing. Affiliate marketting is esentially a link exchange program where the people who post links to your products (on their web sites or in their blogs, newsletters, etc...) get a commission of the sales generated from those links. In fact, you'll notice some of our own affiliate links on the left-hand side of this page under "Recommended Vendors". Of course, a software package tracks the affiliate traffic and a very popular version is called iDevAffiliate.

While recently configuring and testing iDevAffiliate for this web site (details coming soon), we noticed something peculiar. When an affiliate signs up for an account, they must provide a username and password and often tax information such as a SSN (USA) or VAT (Europe). In the case of iDevAffiliate, this sensitive password and tax information was being saved in plain text format. Although this is not an inherent security risk, it does increase vendor liability dramatically should a database be compromised and the affilaite details stolen.

Page 9 of 9

Get the latest updates on our extensions