JoomCCK v6.2.2
New version for harderning JoomCCK from potential security issues
Download Extended Version:
https://www.joomcoder.com/joomla-extensions/9-components/24-joomcck
Changes in Free version
- Convert 40+ raw SQL queries to Joomla QueryBuilder with proper quoting ($db->quote(), quoteName(), (int) casting, ArrayHelper::toInteger) across controllers (ajax, cat, items, import, files), models (pack, tfield), tables (record), fields (datetime, textarea, joomcckrelate), and views
- Path traversal: Add realpath() validation in ajax controller icons() and loadfieldparams() to prevent directory listing outside JPATH_ROOT
- File upload hardening: Add CSRF tokens, auth checks, dangerous extension blocklist, and MIME validation to upload() and mooupload() in files controller; add extension whitelist to usercategory image upload
- Access control: Add ACL checks to download() and download_attach() in files controller; add CSRF + permission checks to items bulk operations
- XSS prevention: Set Content-Type: application/json on AJAX responses, escape user input in error messages, sanitize Content-Disposition filenames
- Input validation: Whitelist ORDER BY columns and table names in dynamic queries, whitelist column names in users_filter, sanitize field_type input
- Cleanup: Remove var_dump debug statements, replace direct $_POST/$_REQUEST access with Joomla input API, fix double-execute bug in notifications
Changes in Extended version
- No changes