> Did you really test a code base that is a version of an old Joomla base No
> or did you look at the code, and test old Joomla bugs against it? No The XSS results are from purely blackbox scan on Mambo 4.6.5. Joomla (Joomla! 1.0.0) was released on September 16, 2005. It was a re-branded release of Mambo 4.5.2.3 which, itself, was combined with other bug and moderate-level security fixes. >From that statement, it can be assumed that the code bases of Mambo 4.5.2.4 and higher are different from those of Joomla! 1.1 and higher. As you can say so, we may sync old Joomla! 1.x bugs in Mambo 4.6.x. But it may be time-consuming to analyze the code changes and validity of bugs in each version of both CMS. https://secure.wikimedia.org/wikipedia/en/wiki/Joomla http://www.joomla.org/announcements/general-news/154-introducing-joomla-10.html > I thought these were found in Joomla ages ago? > No. > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/