Security Patch for JomSocial 1.5 and 1.6

Posted by: irwan on Mar 31, 2010  

Tagged in: security

JomSocial team just released a security update for JomSocial 1.6 and JomSocial 1.5. This patch addresses an issue where attackers might be able to execute arbitrary javascript with a carefully crafted content. The patch will secure all exploitable holes in current and previous version of JomSocial.
 
We would recommend all of our customers to apply the patch immediately.

To install this patch:

1. Download the attached file and unzip it
2. Upload the files in 'frontend' folder to /components/com_community/
3. Upload the files in 'backend' folder to /administrator/components/com_community/
4. Upload the files in 'modules' folder to /modules/
5. Upload the files in 'plugins/plg_groups/groups.php' file to /plugins/community/

Download links:

JomSocial 1.6.288
JomSocial 1.5.248
JomSocial 1.2.206

Up to date, we haven't received any report on such attacks from live websites and this vulnerability is found by our internal security audit team.

Please take note that we have only tested the patches on the 1.6.288 , 1.5.248 and 1.2.206 releases. The patches have also been deployed in our latest stable release 1.6.289 which can be downloaded from your account area at http://jomsocial.com/download.html

28 Response(s)

You must be logged in to post a comment. Please register if you do not have an account yet.
mcmoody
mcmoody
June 23, 2010
Report Reply
If you have 1.5.248 which file do you load? the one labeled 1.5.248? Or the 1.6.288 (to upgrade to that version?)
vote down 0 vote up
as85
June 01, 2010
Report Reply
jooom!!!
vote down 0 vote up
Mark
Mark
April 29, 2010
Report Reply
Testing comment
vote down 0 vote up
wizowsky
wizowsky
April 23, 2010
Report Reply
i got this error after applying the patch on version 1.5.248.

Fatal error: Call to undefined method CFactory::unsetActiveProfile() in /home/absibm/public_html/plugins/user/jomsocialuser.php on line 53

Any smart advice?
vote down 0 vote up
ffxiv
ffxiv
April 19, 2010
Report Reply
Ohh,great!http://www.itemgarden.com/en/index.jsp
vote down 0 vote up
ffxiv
ffxiv
April 19, 2010
Report Reply
Thanks very much! nice day!
http://www.itemgarden.com
vote down 0 vote up
emil
emil
April 14, 2010
Report Reply
This is the last version of the JomComment?
vote down 0 vote up
test123423983214
April 08, 2010
Report Reply
this is just a test
vote down 0 vote up
Edwin Wang
Edwin Wang
April 06, 2010
Report Reply
JomSocial 1.5.248 patch hyperlink is http://www.jomsocial.com/files/patch_1.2.zip.

Is this the correct link because JomSocial 1.2.206 patch is also linking to the same zip file.
vote down 0 vote up
whatever
April 05, 2010
Report Reply
Hello World
Testing JomComment
vote down 1 vote up
whatever
April 05, 2010
Report Reply
Re: Re: Hello World
Testing
vote down 0 vote up
whatever
April 05, 2010
Report Reply
Re: Hello World
Testing
vote down 1 vote up
whatever
April 05, 2010
Report Reply
Re: Re: Re: Hello World
Testing
vote down 1 vote up
agrevet
agrevet
April 04, 2010
Report Reply
I uploaded the security patch for 1.6. After that, Create a Discussion stopped working in the Groups, html tags started appearing in the Inbox messages, and registration email alerts stopped sending. I have restored the files from backup which has corrected the errors. Unfortunately I can't use this patch :-(
vote down 0 vote up
Omar a
April 03, 2010
Report Reply
I have upgraded and got so much javascript errors ... a lot of things stopped working

vote down 0 vote up
Michelle b
April 02, 2010
Report Reply
I have Version: 1.6.285 do i still need to the patch i dont see an option for this?
vote down 0 vote up
Nanda
April 02, 2010
Report Reply
Do I need patch if I have 1.6.289?
vote down 1 vote up
Luke Adlam
Luke Adlam
April 01, 2010
Report Reply
We have several sites on older versions (1.1 and 1.2). None of them are publicly registrable - are they still open to this exploit and should we upgrade ASAP?
vote down 1 vote up
Scott Telle
Scott Telle
March 31, 2010
Report Reply
I'm getting error after uploading the patch 1.5.

Fatal error: Call to undefined method CToolbar::getToolBarGroupKey() in /home/mccth1/mccth.org/components/com_community/templates/default/toolbar.index.php on line 12

I'm also seeing this in the forums. I'd STRONGLY suggest backing up your working install first, as this is VERY frustrating.

JomSocial staff -- please help us out here...
vote down 0 vote up
Scott Telle
Scott Telle
March 31, 2010
Report Reply
The team has been quick to respond to this problem, and I just want to follow up my comment with a big "THANK YOU" to the JomSocial team.

I do appreciate the quick response in keeping us (and our social networks) all safe from evil hackers. :D
vote down 0 vote up
Mark Lee
Mark Lee
March 31, 2010
Report Reply
Thank you for your very kind words ;)
vote down 0 vote up
Mustaq
Mustaq
March 31, 2010
Report Reply
Why you didn't include the patch to the extension and didn't release it as official build?

You can download JomSocail 1.6.289 from the member download area
vote down 0 vote up
bud777
March 31, 2010
Report Reply
Why you didn't include the patch to the extension and didn't release it as official build?
vote down 1 vote up
Mark Lee
Mark Lee
April 01, 2010
Report Reply
This is actually released as a new build if you want to upgrade. You can download it from your account area. The latest build is 1.6.289
vote down 0 vote up
Bumbles
April 01, 2010
Report Reply
Do I need patch if I have 1.6.289? I have been trying to get an answer on installing it as seems to be weird that each little file needs to be installed separately.
vote down 1 vote up
Tomas Blazauskas
Tomas Blazauskas
April 03, 2010
Report Reply
Have to strongly agree with Sinisak. Also it would be great if all the incremental minor-version upgrades were provided also as a patch (beside version for download).
vote down 1 vote up
SinisaK
April 02, 2010
Report Reply
Its not weird, it easier for those who have heavily hacked or modified installations of jomsocial to just replace files.

Mine installation for example is one of the kind and i would probably had to spend another two weeks on applying all customizations again if i do clean upgrade to 289.
vote down 1 vote up
IrishEyes
April 04, 2010
Report Reply
Agree...notifying which files are affected would be very useful for us with custom mods. Thanks
vote down 1 vote up
busy

[ Back ]