When a new (security) release of joomla is released how do you do the update?
Do you actually look at the changes or do you blindly do an update either via ftp or using an automated "update extension"
Blindly updating your site is not good security!!!
What? Is Brian saying that we shouldn't keep our joomla sites up to date. Absolutely not.
What I am saying is that by doing an update without first checking the update to see what is being changed and how it will effect your specific site you might not actualy be securing your site and it might still be vulnerable to the issues that the update was to fix.
How can that be true. You've updated your joomla site to the very latest release, your file permissions are all good and you religiously check to make sure all your extensions are up to date as well.
The problem is in the template!!!
Well to be more accurate it is not the template but the template overrides. Template overrides (perhaps one of the greatest thing in the Joomla 1.5 series) allow you, or your template designer, to replace the "view" provided by joomla with their own "view".
And this is where the problem lies. If the Joomla team discover and fix a security issue in a "view" even if you upload it to your site if your template is overriding that "view" then you are not using the fix.
Most "template override" views that I have seen are based on the default joomla Beez template. So whilst at the time they were created they were based on the default joomla "views" they might not be any more and your site might still be vulnerable.
So how can I check
To see if your template is using any template overrides have a look in the directory where your template lives and see if there is an "html" directory. If there is then you are using some overrides. This "html" directory is where any template overrides live for your site.
If you are using template overrides then the first thing to do is to NOT do a blind update. Have a look at all the files that are in the update and see if any of them are in the beez or ja_purity html sub-directories. If there are, and there have been changes here in the last 2 releases, then we know that there have been changes in some of the joomla views.
Now look in your own template and see if you are overriding the same views. If you're not then move along and update joomla.
If you are then you will need to compare your views with the new views and see what changes you need to make to your own views.
Now you might be lucky. Many template designers just use the Beez views and you will be able to just copy the new Beez views to your own template directory. Or you might have a template that is using the set of views provided by yootheme so you can just check with yootheme for an updated set of views. Or you might have a template from one of the larger template clubs and they might/should have released an updated template.
But if you have a custom built template, or have made modifications yourself, you are going to have to check each of your views against the core views to see if any have changed and update them appropriately.
The moral of this story
The joomla team is very good at releasing updates and security releases but it is your responsibility and your responsibility alone to ensure that not only you apply the update but also that you are actually using the update.
