XSS Patches available for all templates
-
-
- Andy Miller
- Preeminent Rocketeer
- Posts: 9919
- Thanks: 96
- Web Kahuna
-
Patch packages are now available for download
A minor non-persistent XSS (Cross-site Scripting) vulnerability was discovered yesterday that effects every template since about mid year 2006 (both for joomla 1.0 and 1.5). We have fixed the problem and updated every template that exhibits this issue. These updated templates are now available in the member's download section.
If you have modified a template, you can easily install the patched files by downloading the latest version of the template to a local directory, extracting it ( www.7-zip.org , www.winzip.com ) and then copying the rt_styleswitcher.php and the rt_styleloader.php files into your template directory over the existing files.
NOTE: make sure you use the files from the template YOU are using. Each of these files are slightly different from template to template.
For more information on XSS and specifically the Non-Persistent form that this patch fixes, check out this link:
en.wikipedia.org/wiki/Cross-site_scripting
Cheers,
List of Templates Affected:
Each of the following templates can be easily patched by replacing just the "rt_styleswitcher.php" and "rt_styleloader.php" files from the new ones currently available in the template packages. Each template package has been updated with the fixed files and version numbers have been updated to reflect this change (a seperate zip file with just the changed files will soon be available).
Main Templates:
MediaMogul - Jan08
Populus - Dec07
Dimensions - Nov07
Equinox - Oct07
Firenzie - Sep07
Simplix - Aug07
Replicant - Jul07
DarkMatter - Jun07
Elemental - Jun07
Versatility - May07
ColorMatic - Apr07
Bentobox - Mar07
Vortex - Feb07
Elixer - Dec06
SubtleTrooper - Nov06
GoWTrooper - Nov06
WoWTrooper - Nov06
Shock/StromTrooper - Nov06
Pixelperfect - Oct06
Mobius - Sep06
*Carbonite - Aug06
*Carbonation - Aug06
*Versatility 2 - Jul 06
*Versatility - Jun06
*Fire - May06
Labs Templates:
*Versatility 2 RokStar - Aug07
Mobius RokStar - Oct07
Equinox Essentials - Oct07
SubtleTrooper Dark
Mobius Dark
Outland
Dimensions Light - Nov07
Dimensions COD4 - Nov07
Dimensions Halo3 - Nov07
Dimensions Eve - Nov07
Dimensions WoW - Nov07
Free Templates:
Novus - Dec07
* These templates require a few extra modifications to match the new stylechanger syntax. The exact changes are listed in detail in the following posts
- Carbonite
- Carbonation
- Versatility 2
- Versatility 2 RokStar
- Versatility
- Fire
- Last Edit: 16 years 10 months ago by Kevin DuCommun.
-
-
-
- Peter Osipof
- Elite Rocketeer
- Posts: 1117
- Thanks: 0
- Thank you, note to self weekend work download templates.
- VirtueShop
-
-
-
- Yves
- Preeminent Rocketeer
- Posts: 9214
- Thanks: 5
-
-
-
- Guido Kaminiarz
- Sr. Rocketeer
- Posts: 134
- Thanks: 0
-
-
-
- jayawardena
- Newbie
- Posts: 16
- Thanks: 0
- does this include Mediamogul?
-
-
-
- GollumX
- Elite Rocketeer
- Posts: 2817
- Thanks: 0
- There could be a script kiddie out there right now Googling for sites with RT templates. I am assuming/hoping that the fact that you didn't email the membership indicates that this is only a minor vulnerability.
- Say no to Internet Explorer 6.
twitter.com/mark_up
-
-
-
- KW
- Sr. Rocketeer
- Posts: 188
- Thanks: 0
-
Might be a dumb question, but I like asking dumb questions, because this is the internet and we know of a lot of things people can do.
If you have an uploaded template, this is not your default template, do you need the add the patch? or of course just delete the template on the server. - To make a donation for my efforts, click the globe to the left.
-
-
-
- Andy Miller
- Preeminent Rocketeer
- Posts: 9919
- Thanks: 96
- Web Kahuna
-
GollumX wrote:
There could be a script kiddie out there right now Googling for sites with RT templates. I am assuming/hoping that the fact that you didn't email the membership indicates that this is only a minor vulnerability.
As I stated, it's a non-persistent XSS vulnerability. Those are not considered high risk. Most applications have a number of them. Even joomla has one I know of in 1.0.13 (patched in svn). Read the wikipedia article for examples of this type of vulnerability. - Last Edit: 16 years 10 months ago by Andy Miller.
-
Time to create page: 0.074 seconds