Last week, two security reports caught our attention. Even though they are not directly about any of our products, they are relevant to our users. That is why we have opened a new forum to announce vulnerabilities. Please subscribe to the Joomlatools security RSS feed, or to the security forum (you need a forum account).
This extension allows you to sell documents through DOCman. So far the developer of this extension has not responded to this vulnerability report. As the extension’s web page doesn’t show any activity, we suspect it has been abandoned.
If you are using this extension, we advise you to uninstall it completely, until an update is released. The AEC extension might be a good alternative.
UPDATE: The entry on the extensions directory states that the component was updated to v2.2. However, the download link is broken, I couldn’t find any information on Ossolution’s site, and the site’s support page appears to have been hacked.
UPDATE 2: In the meantime the links on the JED have been updated to point to Ossolution’s new site. However, in the meantime Ossolution claims to have made a completely new version 2.5 of the extension, which no longer depends on DOCman. They refused to send us a copy, so we have no idea at all how secure it is.
We have investigated this report, and it does not concern the Joomla:Alfresco integration that was published through Joomlatools Labs over a year ago. We have been unable to find the developer of this extension, so we believe it might be a custom extension that is not available on the JED. If you have more information, please let us know.
If you have an Alfresco extension installed, you can identify it by opening /administrator/components/com_alfresco/manifest.xml. If it starts with the following header, you are using our secure extension. If it doesn’t, you might be using the vulnerable extension.
<name>Alfresco</name> <author>Joomlatools</author> <copyright>Copyright (C) 2008 Joomlatools. All rights reserved.</copyright> <creationdate>December 2008</creationdate> <license>http://www.gnu.org/licenses/gpl-2.0.html GNU/GPL</license> <authoremail>firstname.lastname@example.org</authoremail> <authorurl>www.joomlatools.org</authorurl> <version>1.0.0</version> <description>This component displays an Alfresco repository using CMIS</description>