Akeeba Backup for Joomla! 3.2.7 Stable

Released on: 2011-04-17 04:02 CDT

Security information

On Friday, April 15th, 2011 the acclaimed security analyst Jeff Channel contacted us regarding a potential security issue in the Akeeba Backup component. An attacker exploiting this attack vector could potentially launch a Denial of Service attack on your site or gain information about your site's folder structure. This release fixes this issue. 

After careful analysis of the details of the reported vulnerability, we concluded that all versions of Akeeba Backup and JoomlaPack were affected by this issue. Please note that, as of today, JoomlaPack downloads –which where available for historical reasons– will no longer be available from our JoomlaCode.org project page. Moreover, all affected versions will, likewise, be unavailable for download.

IMPORTANT CLARIFICATION: The nature of the vulnerability DOES NOT allow an attacker to "hack" your site. What he can do is a. fill up its hard drive and crash it or b. collect information which he can use with another vulnerable extension to infiltrate your site. If your site got hacked, Akeeba Backup COULD NOT have been used as an attack vector.

Changelog

  • #66 Support for remote updates through the JSON API
  • #63 JSON API downloadDirect() doesn't work, making it impossible to download large archives efficiently
  • #64 (ABI) Hostname change warning popup is blank on Firefox 3.6
  • Typo in ABI (includes/logic/restore.php) throws a PHP notice. Thanks Colin!
  • Managers not showing up in Access Control page on Joomla! 1.5
  • Time label positioning was off to the top in Configuration Wizard
  • Fix for DoS / information disclosure possibility (thanks Jeff!)