Joomla Security Release 3.6.5 and Patch for joomla 2.5.28

Written by Max Milbers on .

There is a security problem in the JUser model. Please update as soon as possible.

Joomla 2.5.x is not anylonger supported by the Joomla project, but we know that a lot people still use joomla 2.5. with VirtueMart. As promised, we provide a fix (Direct link).

This patch is just the one for j2.5.28 of last year extended by the new files. Update your joomal 2.5.x at least to the last version j2.5.28.

It is normal that an unpatched j2.5.28 logs you out. The patch should be still applied. 


#2 Evan025 2016-12-20 16:13
Thank you.

Could you please provide a link to the discussion regarding this unofficial patch?

I would like to track down (and maybe report) any problems or future revisions.
Report to administrator
#1 Simon C 2016-12-20 10:56
//Info by mod: this comments topic relates to Joomla 3.6.x, follow comments in git below

It's worth noting that there is a nasty regression bug in this patch that affects any site using plugins that modify the fields on the registration form (including the User Profile plugin that comes with Joomla).

If you're using any of these plugins, installing this patch will break your user registration form.

There is a simple fix, but you'll need to edit the Joomla core to do it. This fix will be merged in with the next release, but if you want to use this security patch in the meanwhile you'll have to do it yourself for now.

More info, including details of the code change required can be found here:


If you're not using any user profile plugins, then you won't have any problems, but I know a lot of sites are using them.

Also note that for all of the above, I am only aware of the problem in Joomla 3.x. If you're still on 2.5, you should test it for yourself. If it is a problem, I assume the fix will be similar, but please test it for yourself.
Report to administrator

Add comment

Security code