Support

Hello Liza,

Joomla! 1.5.20 is an old and insecure version of Joomla! which is no longer supported by the Joomla! project and us. Please upgrade to Joomla! 1.5.26 immediately.

After doing that, please try using Chrome instead of Firefox. We are aware that Firefox versions 5 through 9 (inclusive) are extremely buggy and cause a lot of issues not only with our products but with pretty much everything. Bluntly put, they are as stable as a barrel of nitroglycerin rolling down a bumpy hill.

If the problem persists, please explain what you mean with "I've disable cross site scripting but it still present". Do you mean that you've set the XSSShield option in the Configure WAF page to No, clicked on Save, but when you go back to the page it is still enabled?

Liza, don't get excited. Read your message again, please:

I've disable cross site scripting but it still present on Firefox.

This is kinda vague for someone who has no idea what your site is and doesn't sit in front of computer.

What I think what you wrote means: I tried to disable the XSSShield feature, but it's still enabled. I am using Firefox. (Obviously, this not the case)

What you (most likely) intended for this to mean: I have enabled the XSSShield feature, but I still get notifications about XSS attacks in emails and the Security Exceptions Log. (However, that's just my wild guess on what you mean and I decline to provide support based on wild guesses)

Unfortunately, I am not clairvoyant and I can not reply to all possible interpretations of a vague support request. Can you please explain exactly what you did, what you see and what you think the problem is so that I can help you? Remember that I am neither sitting in front of your computer not am I inside your head. Unless you explain to me well enough what the problem you want help with is, how can I possibly help you? Help me help you, please, instead of getting excited. Thank you!

That's why I asked you to upgrade to Joomla! 1.5.26 first. You have 1.5.20. Versions 1.5.21 up to and including 1.5.26 have fixed several XSS vulnerabilities. While you are at it, please upgrade all extensions on the site: components, modules, plugins and templates (templates have code, don't gorget about them). Finally, please make sure that none of your extensions is listed in a red-coloured VEL entry. The green-coloured ones have no problem, as long as you update them.

That said, cross site scripting attacks are something which has to do with the web server software, not the browser. In other words, it's not possible that your site is vulnerable to XSS when the attacker uses Browser X but not Browser Y. Please read the Wikipedia entry on XSS for some introductory information. I am really curious as to how the security department came to the conclusion that your site is vulnerable only through Firefox. This sounds like a bogus security report or a misunderstaning.