There have been recent security updates to Joomla 1.5 and to Joomla 1.0.13SVN to protect against Cross-Site Request Forgery. As I understand the problem this is vulnerability means that if you have a site admin session open it is possible for someone to grab your session and act as an admin on your site. This isn't simple and the exploit isn't common - but may become so. Because using ChronoForms may encourage you to keep your admin session open for longer you need to take care.
The best protection is to update to the latest release of Joomla 1.5 or the latest SVN version of Joomla 1.0.13 (a new release is expected in the next few weeks). These have spoof-check functions built into the core code.
If you can't upgrade and your site remains vulnerable then Phil Taylor has made the following recommendations:
- ALWAYS click LOGOUT in Joomla Admin when you finish
- NEVER browse other websites while logged in to Joomla Admin
- If you allow users to upload/modify your site through any third party component then don’t browse/or limit your surfing of your own site while logged in to Joomla Admin
- NEVER click on links to “Upgrade this component†in 3rd Party Components
- NEVER browse forums while logged into Joomla Admin
Bob
PS Chronoforms current releases (like most other extensions) do not include the admin spoof-check functions that are in the current core code. I'm hoping that Max will add them for the next releases.
