[Developer]

Version 1.5.7 introduced a number of security improvements. Because of the nature of the issues, the patches were not introduced into SVN until shortly before release so they only had a few hours of JBS testing. Introducing them earlier would have given the bad guys information about the vulnerabilities and the time gap between introduction and release would have given them opportunity to attack many sites. (This is the reason we also ask people not to post vulnerabilities in the forums, but rather to visit the security center and send them to the JSST privately.)

One of the fixes addressed issues when there is a redirect. A new JURI method--isInternal($url)-- was created to address this issue. This fix made changes to the controllers for user, content, polls and mailto so that they use the new method when redirecting. This fix relies on a function that is only available in php 5, not php 4. As a result you may see problems with content submission, login, mailto, and polls if you have PHP 4.

If you have a PHP 4 site we urge you to update to php 5. If for some reason you can't, add this to the end of /libraries/joomla/utilities/compat/php50x.php

if(!function_exists('stripos')) {
function stripos($haystack, $needle, $offset = 0) {
return strpos(strtolower($haystack), strtolower($needle), $offset);
}
}

This fix will be applied in the normal release of 1.5.8.
However an even better solution if you care about security is to upgrade to PHP 5. I have sites on a number of hosts and some were extremely slow or made it difficult to get PHP 5, but since the end of life on August 8, they have all come around. Usually you can just submit a help ticket and the host will take care of it or tell you what to do. Since PHP 4 is no longer going to have security releases, if you want to protect your site you must switch to php 5; don't wait for a vulnerability in PHP 4 to be discovered. As we saw with the Joomla vulnerability fixed in 1.5.6, even if a threat is fixed in just a few hours, that is plenty of time for script kiddies to hack hundreds of sites. In PHP 4's case a responsible host would not apply an unofficial patch. Who knows, maybe it would get them finally to upgrade? But in the meantime, your site would be vulnerable. So submit that support ticket today.