0
Welcome Guest! Login
0 items Join Now

XSS Patches available for all templates

    • Andy Miller's Avatar
    • Andy Miller
    • Preeminent Rocketeer
    • Posts: 9919
    • Thanks: 96
    • Web Kahuna

    XSS Patches available for all templates

    Posted 16 years 10 months ago
    • Patch packages are now available for download

      A minor non-persistent XSS (Cross-site Scripting) vulnerability was discovered yesterday that effects every template since about mid year 2006 (both for joomla 1.0 and 1.5). We have fixed the problem and updated every template that exhibits this issue. These updated templates are now available in the member's download section.

      If you have modified a template, you can easily install the patched files by downloading the latest version of the template to a local directory, extracting it ( www.7-zip.org , www.winzip.com ) and then copying the rt_styleswitcher.php and the rt_styleloader.php files into your template directory over the existing files.

      NOTE: make sure you use the files from the template YOU are using. Each of these files are slightly different from template to template.

      For more information on XSS and specifically the Non-Persistent form that this patch fixes, check out this link:

      en.wikipedia.org/wiki/Cross-site_scripting

      Cheers,

      List of Templates Affected:

      Each of the following templates can be easily patched by replacing just the "rt_styleswitcher.php" and "rt_styleloader.php" files from the new ones currently available in the template packages. Each template package has been updated with the fixed files and version numbers have been updated to reflect this change (a seperate zip file with just the changed files will soon be available).

      Main Templates:

      MediaMogul - Jan08
      Populus - Dec07
      Dimensions - Nov07
      Equinox - Oct07
      Firenzie - Sep07
      Simplix - Aug07
      Replicant - Jul07
      DarkMatter - Jun07
      Elemental - Jun07
      Versatility - May07
      ColorMatic - Apr07
      Bentobox - Mar07
      Vortex - Feb07
      Elixer - Dec06
      SubtleTrooper - Nov06
      GoWTrooper - Nov06
      WoWTrooper - Nov06
      Shock/StromTrooper - Nov06
      Pixelperfect - Oct06
      Mobius - Sep06
      *Carbonite - Aug06
      *Carbonation - Aug06
      *Versatility 2 - Jul 06
      *Versatility - Jun06
      *Fire - May06


      Labs Templates:

      *Versatility 2 RokStar - Aug07
      Mobius RokStar - Oct07
      Equinox Essentials - Oct07
      SubtleTrooper Dark
      Mobius Dark
      Outland
      Dimensions Light - Nov07
      Dimensions COD4 - Nov07
      Dimensions Halo3 - Nov07
      Dimensions Eve - Nov07
      Dimensions WoW - Nov07

      Free Templates:

      Novus - Dec07

      * These templates require a few extra modifications to match the new stylechanger syntax. The exact changes are listed in detail in the following posts

      - Carbonite
      - Carbonation
      - Versatility 2
      - Versatility 2 RokStar
      - Versatility
      - Fire
    • Last Edit: 16 years 10 months ago by Kevin DuCommun.
    • Gerald V.'s Avatar
    • Gerald V.
    • Sr. Rocketeer
    • Posts: 144
    • Thanks: 0

    Re: XSS Patches available for all templates

    Posted 16 years 10 months ago
    • Thanks Mr. Andy
  • Re: XSS Patches available for all templates

    Posted 16 years 10 months ago
    • Thank you, note to self weekend work download templates.
    • VirtueShop
    • Yves's Avatar
    • Yves
    • Preeminent Rocketeer
    • Posts: 9214
    • Thanks: 5

    Re: XSS Patches available for all templates

    Posted 16 years 10 months ago
    • Updates done ! Thanks Andy.

      Note: For Versatility 1, 2 and rokstar, as well as fire, you need to do a full template update.
    • Last Edit: 16 years 10 months ago by Yves.
    • Yves
  • Re: XSS Patches available for all templates

    Posted 16 years 10 months ago
    • great. thank you!
    • Peadar's Avatar
    • Peadar
    • Hero Rocketeer
    • Posts: 261
    • Thanks: 0

    Re: XSS Patches available for all templates

    Posted 16 years 10 months ago
    • OK, checking now.

      Thanks
  • Re: XSS Patches available for all templates

    Posted 16 years 10 months ago
    • does this include Mediamogul?
    • GollumX's Avatar
    • GollumX
    • Elite Rocketeer
    • Posts: 2817
    • Thanks: 0

    Re: XSS Patches available for all templates

    Posted 16 years 10 months ago
    • There could be a script kiddie out there right now Googling for sites with RT templates. I am assuming/hoping that the fact that you didn't email the membership indicates that this is only a minor vulnerability.
    • Say no to Internet Explorer 6.
      twitter.com/mark_up
    • KW's Avatar
    • KW
    • Sr. Rocketeer
    • Posts: 188
    • Thanks: 0

    Re: XSS Patches available for all templates

    Posted 16 years 10 months ago
    • Might be a dumb question, but I like asking dumb questions, because this is the internet and we know of a lot of things people can do.

      If you have an uploaded template, this is not your default template, do you need the add the patch? or of course just delete the template on the server.
    • To make a donation for my efforts, click the globe to the left.
    • Andy Miller's Avatar
    • Andy Miller
    • Preeminent Rocketeer
    • Posts: 9919
    • Thanks: 96
    • Web Kahuna

    Re: XSS Patches available for all templates

    Posted 16 years 10 months ago
    • GollumX wrote:
      There could be a script kiddie out there right now Googling for sites with RT templates. I am assuming/hoping that the fact that you didn't email the membership indicates that this is only a minor vulnerability.

      As I stated, it's a non-persistent XSS vulnerability. Those are not considered high risk. Most applications have a number of them. Even joomla has one I know of in 1.0.13 (patched in svn). Read the wikipedia article for examples of this type of vulnerability.
    • Last Edit: 16 years 10 months ago by Andy Miller.

Time to create page: 0.073 seconds