Security Patch for JomSocial 1.6.x

Posted by: azrul on Jun 22, 2010  

Tagged in: security

We have released an update to JomSocial 1.6, bringing the version number to 1.6.291 to fix a security issue found recently. This patch addresses an issue where attackers might be able to execute arbitrary Javascript. We recommend all of our customers to apply the patch immediately.

 

 

To install this patch:

 

  1. Download the file below
  2. unzip it and copy it to your /components/com_community/ folder
  3. Also make sure that all your modules and plugins in up-to-date

Download links

JomSocial 1.6.289/290

Alternatively, if you have little or no template customization, you may download the latest build and simply install it over your current version without uninstalling the older version.

For JomSocial 1.6 that is older than 1.6.288 please make sure you have applied the previous JomSocial update, announced here.

For JomSocial 1.5 and 1.2 with March 31 2010 patch, you may simply install this plugin instead. It will plug the non-persistent xss security issue without having to patch the file.

Please take note that we have only tested the patches on the 1.6.x releases. The patches have also been deployed in our latest stable release 1.6.291 which can be downloaded from your account area at http://jomsocial.com/download.html . If you are using the unsupported 1.7 or 1.8 release, a new build will be published shortly.

Impact: Moderate
Severity: High
Exploit type: XSS Injection
Reported Date: 2010-June-22
Fixed Date: 2010-June-22

21 Response(s)

You must be logged in to post a comment. Please register if you do not have an account yet.
Flavia Silveira
Flavia Silveira
June 23, 2010
Report Reply
Hi,

Where is the link to 1.6.291? The links provided on the Forum and the blog post is only for 1.6.290.
The account area now has the lastest 1.8 version instead of the latest patch.

Thank you,

Flavia
vote down 0 vote up
fuqaha
fuqaha
June 24, 2010
Report Reply
Hi Flavia,
By applying the above patch, you are effectively running 1.6.291 (take note that version number in Joomla admin area is not changed though).
vote down 2 vote up
Flavia Silveira
Flavia Silveira
June 24, 2010
Report Reply
Good to know...I had already done that but since the version was still showing as 290 and the patch didn't show as new version either I was a little puzzled.
vote down 0 vote up
mcmoody
mcmoody
June 23, 2010
Report Reply
I've been getting lots of errors upgrading the 1.528 through the patches to this version. How do I get support?
vote down 0 vote up
fuqaha
fuqaha
June 23, 2010
Report Reply
Hi,

Ive replied to your thread. See you in forum!

:)
vote down 1 vote up
Emilia
Emilia
June 23, 2010
Report Reply
Hi Team,
I want to download the stable version 1.6.291 but under download page I'm uble to get only the 1.8 version. Will you deliver the version number 1.6.291?

Thanks in adv
vote down 0 vote up
fuqaha
fuqaha
June 23, 2010
Report Reply
Hi there, by applying this patch, you are effectively running 1.6.291 (version info at the backend is not updated though)
vote down 0 vote up
janny
janny
June 23, 2010
Report Reply
Can you please correct the plugin download package! The jomsocialpatch.php is wrong as mentioned below!
vote down 1 vote up
fuqaha
fuqaha
June 23, 2010
Report Reply
Corrected. Thanks!
vote down 0 vote up
Richard
Richard
June 23, 2010
Report Reply
Well I just want to say thanks I really like working with Jomsocial
vote down 1 vote up
greg
greg
June 22, 2010
Report Reply
No change in version number, I'm still in 1.6.289 !
How to know if this patch is apply or not? Thanks anyway ! It's probably working ;)
vote down 1 vote up
fuqaha
fuqaha
June 23, 2010
Report Reply
You are correct, the patch doesnt change the version number.
vote down 1 vote up
Dave D
June 22, 2010
Report Reply
Applied the patch but the version number of the community component still shows 1.6.288 - is that correct?
vote down 0 vote up
Daniel00
June 22, 2010
Report Reply
The contents of plg_xsspatch.zip is just a copy of plgSystemJomsocialConnect plugin from jomsocialconnect.php which I would assume is not right. Can you please update the file or clarify
vote down 2 vote up
Chewy
June 22, 2010
Report Reply
So based on the above instructions, I will end up with a folder called "patch_1.6_220610" inside my com_community folder?!? Or am I supposed to take the individual files and overwrite the corresponding files?

Why do you people make such a simple thing so complicated? Especially in this day and age?
vote down 0 vote up
jhendric
June 22, 2010
Report Reply
Read the instructions. They're crystal clear. This is a trivial thing to do.
vote down 0 vote up
Alex29
June 22, 2010
Report Reply
So if you are still releasing 1.6 when will 1.8 be out? Days, weeks, or Months?
vote down 0 vote up
Azrul
Azrul
June 22, 2010
Report Reply
Less than an hour good enough ?
vote down 9 vote up
Webguru
Sonny
June 23, 2010
Report Reply
Hi Azul my jomsocial I have is 1.6.290 and have applied the security patch for this version. If I want to upgrade to 1.8 and right now I am using PHP Version 5.2.13 will this php version work fine for 1.8 upgrade?
vote down 0 vote up
fuqaha
fuqaha
June 23, 2010
Report Reply
Yes, it will work fine. 5.2.13 is newer than 5.2.4. (read: its thirteen vs four).
vote down 0 vote up
fuqaha
fuqaha
June 22, 2010
Report Reply
lol.. an hour it is.
vote down -1 vote up
busy

[ Back ]