DOCman Security Announcement
19 February 2008
Joomlatools would like to announce the immediate availability of DOCman v1.4.0RC2.
Recently, a CSRF vulnerability was discovered in DOCman. An attacker can have the same access permissions as the administrator. In the right circumstances, this can be exploited to change data or obtain shell access. All 1.3.x versions, as well as 1.4.0BETA2 and 1.4.0RC1 are vulnerable. Therefore it is recommended to all users to upgrade to the new v1.4.0RC2.
CSRF or ‘cross site request forgery’ is a relatively unknown exploit. Many extensions, as well as older Joomla! versions, are vulnerable. We strongly recommend to upgrade all sites to either Joomla! 1.0.14 1.0.15 or Joomla! 1.5.1, and only use extensions from trusted sources. Always log out after using your site in either front- or back-end.
Installation / Upgrade
- Installing a fresh copy of DOCman can be done in the usual way, using Joomla!’s component or extension installer.
- To upgrade DOCman 1.4.x to the latest version, you can simply remove DOCman through Joomla!’s uninstaller, and install the new version. No data will be lost. Review the configuration after upgrading. If you have made changes to the theme, backup these first. Please check the README.php file included in the zip before upgrading.
- To upgrade DOCman 1.3 RC1 or RC2 to the latest version, you need to install a patch first, which can be found at the download site below. The README file included in the zip contains detailed instructions for installing the patch.
- To migrate a DOCman installation from a Joomla! 1.0.x site to a Joomla! 1.5.x site, please use the migrator plugins from the download site. Again, the zip file contains a README with instructions.
Links
- All downloads can be found at http://www.joomlatools.eu/products/docman/downloads/ . It’s recommended to always download from this official location. This way you know the files have not been tampered with. You can also find a number of add-ons and translations on that site.
- The official FAQ can be found at http://www.joomlatools.eu/products/docman/faq/
- For community support, please visit the Joomlatools forums at http://forum.joomlatools.eu
Thanks
We’d like to take this opportunity to thank everybody who tested DOCman, reported or fixed bugs, made translations, or helped out users on our forums. Our special thanks goes out especially to Zinho from Hackers Center , who discovered the vulnerability, Krisstoffer, our forum moderator, and Chris, who submitted patches.
DOCman is almost completely developed and maintained by volunteers. If you want to contribute to DOCman, in any way you can, please join our growing user community on the Joomlatools forums!
Mathias Verraes (aka mjaz)
DOCman Lead Developer
Joomlatools Team Member
subscribe to our feed