• Project: Joomla!
  • SubProject: CMS

Description

Joomla! 3.6.5 includes additional security hardening mechanisms prepared by the JSST, thanks in part to issue reports from Fotis Evangelou and Nicholas Dionysopoulos, which restricts a user’s ability to make potentially damaging configuration changes. This includes restricting the ability to set the „New User Registration Group“ and „Guest User Group“ to a group with Super User permissions and restricting the ability for a lesser privileged user to make user group assignment changes to users in a Super User group.

Additionally, we have modified the behavior of

JUser::authorise()

to only return a boolean value. Previously, this method could return either a boolean value or null because the underlying call to

JAccess::check()

can also return a null value; neither

JUser::authorise()

or

JAccess::check()

documented this though. We have determined that based on how the API is used that

JUser::authorise()

should only return a boolean value. If a developer requires the previous behavior of a null return value (which indicates an „implicit“ denied state versus „explicit“ signified by boolean false), they should use

JAccess::check()

instead. The documentation for

JAccess::check()

has been updated to indicate the null return value as well.

Contact

The JSST at the Joomla! Security Centre.

Rate this post
Брой прочитания на тази страница: 504
[20161204] – Misc. Security Hardening
Tagged on:

Вашият коментар

Вашият имейл адрес няма да бъде публикуван. Задължителните полета са отбелязани с *