Security, PHP 4 and 1.5.7

Version 1.5.7 introduced a number of security improvements. Because of the nature of the issues, the patches were not introduced into SVN until shortly before release so they only had a few hours of JBS testing. Introducing them earlier would have given the bad guys information about the vulnerabilities and the time gap between introduction and release would have given them opportunity to attack many sites. (This is the reason we also ask people not to post vulnerabilities in the forums, but rather to visit the security center and send them to the JSST privately.)

One of the fixes addressed issues when there is a redirect. A new JURI method--isInternal($url)-- was created to address this issue. This fix made changes to the controllers for user, content, polls and mailto so that they use the new method when redirecting. This fix relies on a function that is only available in php 5, not php 4. As a result you may see problems with content submission, login, mailto, and polls if you have PHP 4.

If you have a PHP 4 site we urge you to update to php 5. If for some reason you can't, add this to the end of /libraries/joomla/utilities/compat/php50x.php

if(!function_exists('stripos')) {
 function stripos($haystack, $needle, $offset = 0) {
  return strpos(strtolower($haystack), strtolower($needle), $offset);
 }
}

This fix will be applied in the normal release of 1.5.8.

However an even better solution if you care about security is to upgrade to PHP 5. I have sites on a number of hosts and some were extremely slow or made it difficult to get PHP 5, but since the end of life on August 8, they have all come around. Usually you can just submit a help ticket and the host will take care of it or tell you what to do. Since PHP 4 is no longer going to have security releases, if you want to protect your site you must switch to php 5; don't wait for a vulnerability in PHP 4 to be discovered. As we saw with the Joomla vulnerability fixed in 1.5.6, even if a threat is fixed in just a few hours, that is plenty of time for script kiddies to hack hundreds of sites. In PHP 4's case a responsible host would not apply an unofficial patch. Who knows, maybe it would get them finally to upgrade? But in the meantime, your site would be vulnerable. So submit that support ticket today.

Details: Published: 13 September 2008

Upcoming Events

Joomla! Events around the world

15 May

Extension Demos: In Touch with developers #more

15.05.2026 16:30 UTC

ENG

On May 15, 2026 at 16:30 (UTC), "Extension Demos: In Touch With Developers" returns with an international guest: Yannick Gaultier from Weeblr.
We will see a live demo of 4AI, the intelligent assistant integrated into the Joomla backend, and 4Podcast, the solution for managing podcasts directly from the CMS. The session will be held in English with subtitles translated in real time.

17 May

Code along Joomla JUG

17.05.2026

21 May

Website Design Company Owners - using Joomla!

21.05.2026 15:00 UTC

29 May

Extension Demos: In Touch with developers #4

29.05.2026 16:30 UTC

ENG

Another session focused on extensions for Joomla!.

On this date, Gabriele Frasca AKA Druskus will present live demos and insights on developing, customizing, and optimizing Joomla! extensions.

SiteHive and the future of multisite in Joomla

Within the Joomla developer community, a recent GitHub discussion introduced the concept of SiteHive, a possible approach to managing multiple sites from a single Joomla installation. The proposal explores the use of a site_id structure in database tables to keep data and configurations separated while sharing the same core system.

18 Jun

Website Design Company Owners - using Joomla!

18.06.2026 15:00 UTC