Many people will have noticed (including a lot of bad guys) that there is a security release of the Joomla! content management system.
Previous versions contain a vulnerability which allows a malicious person to register a user account on a Joomla site by carefully crafting their own html form, even when user registration has been turned off, and also to manipulate the user group. This is done by accessing a vulnerable controller in components/com_users/controllers/user.php, which includes a register task that does not check the site configuration or properly validate the data.
The controller has been around since Joomla 1.6, so it has left a lot of people wondering if older versions of Joomla are vulnerable, such as 2.5 which is still widely used. In fact the good news is that older versions are not.
If you try to submit a crafted html form to a Joomla 2.5 site, you get the following fatal error:-
Warning: Missing argument 2 for JModelForm::validate(), called in components/com_users/controllers/user.php on line 114 and defined in /libraries/joomla/application/component/modelform.php on line 258 Fatal error: Call to a member function filter() on a non-object in /libraries/joomla/application/component/modelform.php on line 261
Or something similar depending on your exact version. The reason for this is that the user controller includes a coding error, it uses
$return = $model->validate($data);