29 August 2011
JCE 2.0.11 released
Important Security Update
JCE 2.0.11 and JCE 184.108.40.206 have been released. Both updates include important security fixes and all users are urged to upgrade as soon as possible.
A vulnerability has been reported in JCE 2.0 and JCE 1.5 that allows a logged in user - who has access to JCE (ie: they can created or edit articles) and any of the Image Manager, Image Manager Extended, File Manager, Media Manager or Template Manager plugins - to view and manipulate files and folders outside of the folder assigned to these plugins.
JCE 2.0.11 and JCE 220.127.116.11 add additional security checks to fix the vulnerability. Additional checks have also been added to some functions in the Image Manager Extended and Template Manager plugins.
Recommendations for securing JCE
JCE 2.0 and JCE 1.5 include a system that allows you to control who has access to JCE plugins (such as the Image Manager) and the features of these plugins (such as delete, rename etc.). Despite the additional security checks added in this update, it is advisable to take advantage of the Profile / Group system to restrict the use of JCE to trusted users and usergroups only, and not allow arbitrary users access to filesystem plugins like the Image Manager. This can be done quickly and easily with the following steps:
In addition to the security fixes added, JCE 2.0.11 includes a number of bug fixes - see the Changelog for full details - as well as one new feature added to the Table button allowing you to quickly create a simple tables by selecting a grid from a dropdown menu:
The following plugins have been updated :
JCE 2.0 and its plugins can be updated quickly and easily using the Updates dialog launched from the JCE Control Panel or JCE Installer page. JCE 2.0 and JCE 1.5 can be updated by installing the new version over the old using the Joomla! Installer - see JCE Installation