Oh 1.5.13 how will we remember thee - not only was it released a scant 3 weeks after the last one, it also breaks the media manager, gee i never really use the picture part of my web sites anyway.

So now I have to unzip, upload and patch all my sites just to get the security update to stop breaking them.

Quick note to joomla folks - love you, yes I do, but think about us schlemiels actually using joomla for clients - small biz cannot afford the time it takes to participate in the great experiment. ie - howabout a stable joomla for people whose business depends on joomla and experimental for the latest greatest:  (link updated)

http://docs.joomla.org/What_happend_to_the_Media_Manager?

Is anybody else annoyed at the frequency of these security updates, especially for us manual laborers it's a little much yes?

and for those who use template overrides another issue to deal with re security updates:

http://brian.teeman.net/joomla-gps/automatic-joomla-updates.html

This is a time and cost issue for small biz using Joomla and frankly in my opinion is bordering on painindabutt territory -

I know upgrading a cms is not as easy updating say an ftp program but, automating joomla security updates as much possible and/or getting updates down to say 6 a year, I think is going to be important cost and time issue going forward.

Oh, and now all my sites' backups are technically not up to date. I'm about to dig in to Joomlapack native tools which purportedly will automate and solve this issue, link below, but the good folks at Joomla need get a handle on the variety of consequences joomla security updates have on us humps out hustling da joomlaz on the street. 

 http://joomlapack.net/news/releases/native-tools-2009-3.html

###

Jeff Channell is a web guy who I've seen time and time again volunteer his time on the Joomla security forum. He has found several Joomla extensions with XSS Vulnerabity exploits. He was kind enough to answer some questions about what it is and how Joomla site managers can best defend against it:

The way I really learned (and keep learning)  about Joomla security was to start reading the security forum every morning:

http://forum.joomla.org/viewforum.php?f=432

If the tales of woe wept within do not spark your security urge, nothing will.

Action Item #1: A web guy from WV (Jeff Channell) frequently helps people out within the forum, and recently posted that he has found 9 Joomla extensions with XSS Vulnerabilities. He was kind enough to answer some questions about this issue and what to do about it, I will post Q&A separately. Here is the XSS vulnerability security forum post:

http://forum.joomla.org/viewtopic.php?f=432&t=420895

Action Item #2: Recently in my inbox I received an email blast from Phil Taylor, subject: 'not up to date' Joomla sites are being hacked by automated hacking bots at an alarming rate. Conclusion - make sure to keep Joomla installations up to date, and, of course, only download Joomla from the official Joomla site:

http://www.joomla.org/announcements/release-news/5242-joomla-1512-released.html

Resources: For Joomla security beginners (aren't we all) Joomla provides solid commonsense checklist:

http://docs.joomla.org/Category:Security_Checklist

For the advanced player, or if you just want to be scared, very scared, I like Tom Canavan's Joomla security book. Additionally, for those interested generally in network and computer security as a career, you will get a ton of great tools and tips from this book:

http://www.amazon.com/Joomla-Web-Security-Tom-Canavan/dp/1847194885