XSS Vulnerability Fixed in Joomla Update

The Joomla Project has released version 1.7 of its popular content management platform as a security update that patches a cross-site scripting vulnerability and introduces an easier update mechanism.

The XSS flaw is located in the Joomla core components and stems from inadequate input escaping. The vulnerability was reported by Aung Khant on July 11 and affects Joomla 1.6.5 and all earlier 1.6.x versions. It is rated as medium severity.

Another important change in Joomla 1.7, security-wise, is a new one-click update mechanism that greatly simplifies the upgrading process.

"With Joomla 1.7 the user community placed a large emphasis on making the CMS installation process as simple as possible and new versions more frequent," the Joomla development team said.

"This will allow users to more easily and frequently migrate to the latest version of Joomla, and take advantage of all the security benefits associated with running the newest code," the developers added.

A webmaster looking to upgrade using the new process should first make sure that all installed extensions are compatible with the new version. They should then perform a backup of the site's files and database.

The actual update can be performed by going to the Extensions > Extensions Manager > Update menu, purging the cache and pressing "find updates." The update process can take a few minutes after which webmasters should see a notification that the update applied successfully.

Automatic updates are vital to keeping the install base up to date and secure. Cyber criminals are increasingly using compromised websites in their attacks and unpatched CMS installations pose a great risk for users.

WordPress has had automatic updates for a long time now. In fact, the project's managers are considering the option of silent updates. This would be the first time such a method of updating would be introduced in a widespread CMS platform.

Joomla! 1.7 can be downloaded from here.