Need help with Joomla? We are available for hire to help with Joomla customization, upgrades, maintenance, and custom development.
Explore our services [15-July-2026] Events Booking version 5.8.0 - Security Release
- Tuan Pham Ngoc
- Topic Author
- Offline
- Administrator
-
Less
More
10 hours 39 minutes ago - 4 hours 33 minutes ago #178977
by Tuan Pham Ngoc
[15-July-2026] Events Booking version 5.8.0 - Security Release was created by Tuan Pham Ngoc
Dear customers !
I’m happy to announce the release of Events Booking version 5.8.0! This release address two medium security issues found in the earlier versions:
1. Missing permission check result in leaking data
- This missing permission check allow un-authenticated users to get data from any Joomla user (Name, Email) base on the given User ID. The necessary check has been added to prevent this.
2. Missing CSRF token check on upload file
- The extension has an end point to allow registrants to upload file during registrations using ajax upload. The code in previous release does not have CSRF token check, this is now added to enhance security. Further more, I also added .htaccess to prevent direct access to files into this folder, just in case admin allows uploading php files by mistake. Also, addition check has been added so that if you do not use File custom field types, the upload end point will be disabled to prevent attackers from uploading files (to abuse server quota for some reasons).
- Additional checks below are implemented to prevent mass uploads attack (assume your site is on target of attack):
+ Reject unsafe files (files with unsafe file extensions, files contain code) for older Joomla version to make it works in the same way with security improvements implement in Joomla 6.1.2 File::upload method
+ Max Files Per Session: Limit maximum number of files which can be uploaded per session. By default, I set it to 100, you can change it in Events Booking -> Configuration if needed
+ Max Files Per Minutes: Limit maximum number of files which can be be uploaded per minutes. By default, I set it to 20. You can adjust it to a smaller value like 5 or 10 if needed.
+ Upload Folder Size Limit: If you worry that too many files can be uploaded which makes your hosting space becomes full, you can limit it to something like 1024MB (mean 1GB), or smaller size
+ Max Files In Upload Folder: If you worry that too many files can be uploaded, you can limit total number of files can be uploaded for your site via upload field types in Events Booking. For example, set it to 5000 files.
Please update your site to this latest version of Events Booking to have the two issues fixed and more secure. We sincerely apologize for any inconvenience this may cause and appreciate your prompt attention to this matter.
I also would like to take this chance to thanks Phil from mysites.guru/ for reporting the issues to us this afternoon, and discussing further about the second issue via email. Also, thanks David from JSST for joining the discussion, too.
Regards,
Tuan
I’m happy to announce the release of Events Booking version 5.8.0! This release address two medium security issues found in the earlier versions:
1. Missing permission check result in leaking data
- This missing permission check allow un-authenticated users to get data from any Joomla user (Name, Email) base on the given User ID. The necessary check has been added to prevent this.
2. Missing CSRF token check on upload file
- The extension has an end point to allow registrants to upload file during registrations using ajax upload. The code in previous release does not have CSRF token check, this is now added to enhance security. Further more, I also added .htaccess to prevent direct access to files into this folder, just in case admin allows uploading php files by mistake. Also, addition check has been added so that if you do not use File custom field types, the upload end point will be disabled to prevent attackers from uploading files (to abuse server quota for some reasons).
- Additional checks below are implemented to prevent mass uploads attack (assume your site is on target of attack):
+ Reject unsafe files (files with unsafe file extensions, files contain code) for older Joomla version to make it works in the same way with security improvements implement in Joomla 6.1.2 File::upload method
+ Max Files Per Session: Limit maximum number of files which can be uploaded per session. By default, I set it to 100, you can change it in Events Booking -> Configuration if needed
+ Max Files Per Minutes: Limit maximum number of files which can be be uploaded per minutes. By default, I set it to 20. You can adjust it to a smaller value like 5 or 10 if needed.
+ Upload Folder Size Limit: If you worry that too many files can be uploaded which makes your hosting space becomes full, you can limit it to something like 1024MB (mean 1GB), or smaller size
+ Max Files In Upload Folder: If you worry that too many files can be uploaded, you can limit total number of files can be uploaded for your site via upload field types in Events Booking. For example, set it to 5000 files.
Please update your site to this latest version of Events Booking to have the two issues fixed and more secure. We sincerely apologize for any inconvenience this may cause and appreciate your prompt attention to this matter.
I also would like to take this chance to thanks Phil from mysites.guru/ for reporting the issues to us this afternoon, and discussing further about the second issue via email. Also, thanks David from JSST for joining the discussion, too.
Regards,
Tuan
Last edit: 4 hours 33 minutes ago by Tuan Pham Ngoc.
Please Log in or Create an account to join the conversation.
- Eric vanBok
- Offline
- Premium Member
-
Less
More
- Posts: 84
- Thank you received: 8
7 hours 39 minutes ago #178978
by Eric vanBok
Replied by Eric vanBok on topic [15-July-2026] Events Booking version 5.8.0 - Security Release
Hello.
This update does not appear to fix the issues. Please look into this further so you can supply a proper fix. Thank you.
Eric
This update does not appear to fix the issues. Please look into this further so you can supply a proper fix. Thank you.
Eric
Please Log in or Create an account to join the conversation.
- Tuan Pham Ngoc
- Topic Author
- Offline
- Administrator
-
7 hours 28 minutes ago #178979
by Tuan Pham Ngoc
Replied by Tuan Pham Ngoc on topic [15-July-2026] Events Booking version 5.8.0 - Security Release
Hi Eric
Could you please submit a support ticket provide me further information about this and we will discuss further about it.
Regards,
Tuan
Could you please submit a support ticket provide me further information about this and we will discuss further about it.
Regards,
Tuan
Please Log in or Create an account to join the conversation.
- Tuan Pham Ngoc
- Topic Author
- Offline
- Administrator
-
7 hours 26 minutes ago #178980
by Tuan Pham Ngoc
Replied by Tuan Pham Ngoc on topic [15-July-2026] Events Booking version 5.8.0 - Security Release
BTW, the current implementation is quite safe. But since the upload file is open for public users to upload files during their registration, if someone uses it to upload multiple files, there is no way for the system to prevent that. That is the same for any public forms which allow public users to upload files
Regards,
Tuan
Regards,
Tuan
Please Log in or Create an account to join the conversation.
- Tuan Pham Ngoc
- Topic Author
- Offline
- Administrator
-
4 hours 31 minutes ago #178987
by Tuan Pham Ngoc
Replied by Tuan Pham Ngoc on topic [15-July-2026] Events Booking version 5.8.0 - Security Release
Just want to update that some additional checks were added to make field upload more secure (just in case someone uses upload end point to attack your site by mass upload), so if you updated Events Booking before 16:10pm, 15 July 2026, you might want to download latest package and update it to your site again
Regards,
Tuan
Regards,
Tuan
Please Log in or Create an account to join the conversation.
Support
Documentation
Information
Copyright © 2026 Joomla Extensions by Joomdonation. All Rights Reserved.
joomdonation.com is not affiliated with or endorsed by the Joomla! Project or Open Source Matters.
The Joomla! name and logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.
The Joomla! name and logo is used under a limited license granted by Open Source Matters the trademark holder in the United States and other countries.