Akeeba Backup for Joomla! 6.5.0 Stable

Released on: 2019-05-28 04:14 CDT

What's new

Security (Low Impact): An XSS issue in the Backup page was addressed. This issue affects Akeeba Backup versions 5.3.0.b1 to 6.4.2.1 inclusive. An attacker could craft a malicious URL and trick a Super User, already logged into the site's backend, to click on it resulting in arbitrary JavaScript execution. This issue can NOT be used to hack the site remotely and / or without the participation of an unwitting user with elevated privileges. Moreover, it cannot be used to escalate the privileges of the logged in user or otherwise execute actions the current user is not authorized to execute. Therefore we classify it as low impact.
We would like to thank Mario Korth for the report and the Joomla! Vulnerable Extensions List for forwarding the additional information Mario provided them, allowing us to successfully address this issue.
Mitigation: updating to the latest version, 6.5.0, is adequate to address this issue. If you are using an older version of Joomla! or PHP and cannot upgrade to the latest version of Akeeba Backup please be careful of links you click, especially if you are logged into your site, and use the latest version of Google Chrome which automatically protects you automatically against XSS attacks. Due to the low impact and the fact that a third party mitigation is already in place we do not plan to backport this security fix to earlier versions of our software.

Timing options in the integrated restoration to work around picky servers where the extraction always failed. This is the same seldo-used feature that's been in Kickstart for years.

Update to the Google Drive integration. Google has rolled out a new API for Google Drive which will become mandatory in June 2020. This version of Akeeba Backup switched to the new API, making sure that your Google Drive integration will continue working.

Upload to Amazon S3 now supports path-style bucket access for third party endpoints. Some third-party storage providers with S3-compatible APIs require path-style bucket access with V2 signatures instead of the really Amazon S3-compatible method of subdomain access with V2 signatures. This version of Akeeba Backup addresses this need and adds a new option in the S3 configuration to that effect. Using Amazon S3 proper is not affected; you are using V4 signatures with it anyway, making this change irrelevant to you.

Show row count for each table in Database Filters page. The Database Filters page is there to help you exclude pretty big tables with data you don't need to put inside your backup such as logs, file scanner caches, session information and so on. But how do you know a table is big if you don't see its row count or size? This version addresses this omission by displaying the row count of each tables next to it in the Database Filters page.

Bug fixes. We regularly fix smaller and bigger issues. Please consult the CHANGELOG below and the full change history available from the software's main page by clicking the CHANGELOG button.

Joomla! compatibility

We only officially support the latest stable branch of Joomla!. At the time of this writing it is Joomla! 3.9.

Our software should still run on Joomla! 3.8 or later, including 3.8 and 3.9. These versions are not actively supported by us or the Joomla! project anymore. We strongly advise you to run the latest available version of Joomla! for security reasons. Older versions of Joomla! have known major security issues which are being actively exploited to hack sites.

PHP versions supported

We only officially support using our software with PHP 5.6, 7.0, 7.1, 7.2 or 7.3. We strongly advise you to run the latest available version of PHP on a branch currently maintained by the PHP project for security and performance reasons. Older versions of PHP have known major security issues which are being actively exploited to hack sites and they have stopped receiving security updates, leaving you exposed to these issues. Moreover, they are slower, therefore consuming more server resources to perform the same tasks.

Kindly note that our policy is to officially support only the PHP versions which are not yet End Of Life per the official PHP project with a voluntarily extension of support for 6 to 9 months after they become End of Life. After that time we stop providing any support for these obsolete versions of PHP without any further notice.

Changelog

Bug fixes

  • [HIGH] Optional filters were no longer visible
  • [LOW] ALICE - Large Directories check had a typo, making it throw false negatives
  • [LOW] PostgreSQL: missing indices (thanks @twister65 for the fix!)
  • [LOW] The Action Log plugin caused untranslated strings in the Action Log module in the Control Panel page

New features

  • Show row count for each table in Database Filters page
  • Timing options in the integrated restoration to work around picky servers where the extraction always failed.
  • Upload to Amazon S3 now supports path-style bucket access for third party endpoints

Miscellaneous changes

  • Updated Google Drive integration due to deprecation of the old Team Drives APIs

Critical bugs and important changes

  • Security [LOW]: an XSS issue in the Backup page affecting versions 5.3.0.b1 to 6.4.2.1 inclusive was addressed. Thank you, Mario Korth for reporting it.