Yesterday, we released a new version of the Yth library (short for Yireo Template Helper), a PHP-library that helps developers to create their own PHP-logic in their own Joomla! templates, without using a complex templating framework. Upgrading is advised because this version also fixes a potential security issue.
Security issue in css.php version 0.2
With the help of a well-known template-club, we discovered a security issue with the PHP-script css.php which is part of Yth. Within this file, CSS-stylesheets could be included. But on outdated PHP-environments where PHP-functions are still vulnerable to NULL-byte attacks this mechanism allows for non-CSS files to be included as well. If you are using PHP open_basedir or newer PHP-versions, there is no threat. But upgrading Yth is recommended.
Yth now includes some new features as well: The splitmenu-mechanism was not working correctly under Joomla! 2.5, and this is now fixed. Also, two new methods image() and datauri() allow you to include images in the template quickly: The second method allows you to convert URL-based images into data-URIs included within the generated HTML.
For CSS merging and crunching (and/or applying data-URIs within the CSS-code as well), we actually recommend the usage of our ScriptMerge plugin instead. New features will not be added anymore to the css.php file. Only the yth.php will be expanded with new features.