Back to Top

Time to upgrade those Joomla! 1.5 sites again, following security update 1.5.9, released today (10th January, 2009). Need some help updating? We offer a comprehensive backup, test and deploy service to give complete piece of mind to those wishing to update. Drop us a line to find out more.

"This is a security release and users are strongly encouraged to upgrade immediately"

The Joomla Project announces the immediate availability of Joomla 1.5.9 [Vatani]. This is a security release and users are strongly encouraged to upgrade immediately.

Check the Joomla 1.5.9 Post-Release Notes to see if there are important items and helpful hints discovered after the release.


One low-level and one high-level security issue were fixed in this release:

  • High Priority: Directory Traversal. A crafted request can allow an attacker to view directory trees on the server. Note: contents of files cannot be edited or deleted, just viewed. More information »
  • Low Priority: SSL Session Token Disclosure. When running a site as SSL ONLY, if a non-SSL request is made, an attacker can obtain the session token. There is NO risk for Web sites that use both HTTP and HTTPS. More information »

For additional information, visit the Joomla Security Center.


  • Fixed Contact Page so that a blank page is not displayed when vCard is not enabled, but is selected in the Contact Parameters (10680)
  • Resolved problem with Category View Table where filter did not work when cache was enabled (10840)
  • vCard no longer displays excess spaces (11871)
  • Small change in components/com_banners/models/banner.php (12577)
  • Resolved invalid XHTML 1.0 Transitional issues introduced in 1.5.7 for the Contact form (12868)
  • Fixed problem that resulted in erroneous '404 - Contact not found' page for dropdown in Contact View (12989)
  • Fixed Contact Category URL problems (13045)
  • Fulltext Search for Uncategorized and Archived Articles is now working (13490)
  • onPrepareContent issue for non-com_content Components resulting in a warning message has been resolved (13505)
  • 'Change Contact Details' link now loads correct page (13542)
  • Contact image not displaying in front end (13643)
  • Front-end article submission no longer auto-populates, finish publishing date with same date as start publishing (13673)
  • Media Manager Javascript error: "Object doesn't support this property or method" that presented for IE has been fixed (13761)
  • Space between meta keywords no longer removed when saving Articles (13794)
  • com_installer Module View now correctly displays Author e-mail and URL (13942)
  • Robots and Author meta retained when copying Articles (13949)
  • Article Archive pagination fixed (14070)
  • Correction so that unregistered site visitors can no longer access PDF for registered Articles (14196)
  • Hits filter in Category List fixed (14390)
  • Resolved problem where "Register to read more" incorrectly redirected to Front Page, rather than Article (14392)
  • Poll error message resolved (14394)
  • Resolved problem where Category List failed to retain Column Sort preference when navigating to a different page (14398)
  • Resolved problem in Category List where changing Display # to All in page 2 of list would display no results (12932)
  • Category List now correctly shows filtering option in use (14402)
  • Corrected 404 error that resulted when menu access was set to Public and Contact Item is Registered (14412)


  • New modules can now be added, even when there are no modules entries already defined (11874)
  • Inconsistency removed for Login/Logout Redirection page of mod_login (13611)
  • JMenu getMenu() doc error corrected (13617)
  • Archive Module Count Parameter and Tool Tip corrections (13694)
  • STRPOS error corrected when editing Alias Menu Item (13909)
  • Toolbar Image now points to an existing image (14171)


  • OpenID upgraded to 2.0 protocol, now works with Yahoo (12217)
  • plgSystemCache plugin now respect site and page language (12115)
  • Page string in plugins/content/pagebreak.php is now properly externalized (12730)
  • Legacy Plugin - Login Timeout resolved (13662)
  • Access level for Plugins fixed (14106)
  • Fixed OpenID Transition issues (14433)


  • No issues fixed for this release


  • RTL feeds PARAM is now saved in database which corrects RTL feeds in Milkyway and Beez (11235)
  • CSS and XHTML valid error in JA_Purity resolved, as was invalid CSS validator link (12887)
  • JA_Purity default status for Modules defined for right position now collapse correctly, when unused (12925)
  • Fixed CSS errors in rhuk_milkyway/css/template_rtl.css (13517)
  • Missing H1 text-align in rhuk_milkyway/css/template_rtl.css fixed (13570)
  • Beez template override for com_search now displays error messages correctly (13584)
  • Corrected Last Updated date for Beez Template (13632)
  • Resolved inconsistencies for Beez Template Override Page Titles (13634)
  • Contact image changes for Beez override (13700)
  • Incorrect File Reference corrected for Beez Template (13859)
  • Short PHP Notation in Beez Windows hosting bug introduced in 12798 has been fixed (14313)
  • en-GB.com_statistics.ini are now correctly deleted (14391)
  • Removed unnecessary string in JA_Purity template (14414)
  • Removed unnecessary strings in rhuk_Milkyway template (14415)


  • Language INI files that were incorrectly encoded using UTF-8 with BOM have been fixed (13499)
  • Untranslated strings in en-GB.ini after SVN 11236 are fixed (13514)
  • Fixed untranslated strings in com_weblinks (13608)
  • Fixed untranslated strings in com_contact (13626)
  • Fixed untranslated Strings in admin/mod_feed (13666)
  • Spacer values are now translatable (14308)
  • Fixed issue with JA_Purity spacer so that it is now translatable (14360)
  • Resolved remaining English string hard-coded in mod_search (14374)
  • String missing in en-GB.com_installer.ini (14389)
  • Resolved untranslated language string for "Email a Friend" feature (14395)
  • Tooltip language string in com_config corrected (13633)


  • Added better tooltip text for the Help Server Reset button in Global Configuration System Settings (12023)
  • Toolbar & value fixed for Media Manager button (12841)
  • JInstallerHelper Class Function description has been corrected (13574)
  • Help screens made (13616)
  • Remove default filter for Super Admininistrator and fix filter whitelist problem (13770)
  • Corrected error where Editor deleted content for default filter; UTF-8 compatibility is now enforced with JInputFilter (13901)
  • Removed old links (14227)


  • query_batch corrected for SQL error (12247)
  • uri.php changes made in 1.5.7 no longer break back-end URLs if $live_site=Http has an uppercase H (12812)
  • JFolder::delete bug fixed when folder contain symbolic links on folders (12939)
  • Typo in sample_data.sql resolved (13549)
  • License correction for PHPMailer in CREDITS.php (13811)
  • Fixed error that resulted from invoking JDatabase::Query() more than once (13860)
  • Cache space is now correctly released (14317)
  • String bug for strspn() resolved (14339)
  • Weird characters removed from LICENSES.php file (14408)
  • Removed outdated link in the installer language file (14410)
  • Fixed typo in Cache Manager (14434)
  • Updated Archive_Tar to relicensed BSD version (12746)