auch Editoren die das "Missbrauchen" könnten...
Und wer Dateiendungen mit .php zu lässt, verdient es nicht anders...

You cannot upload a file that isn't an image. Test your assertion. Create a text file and name it test.jpg then, try to upload it. Joomla! will not allow that.

Thanks!
Amy

@amy :

but it is now times fact, which registered user can simply upload pictures, although the Webmaster this would not like at all. And of from there it and remains it is an bug.

OK, good! I am glad you agree that Joomla! does have image checking. That portion of your report would be concerning and it simply isn't true.

Now, it would certainly be nice to add a feature to allow Webmasters to configure who is allowed to upload images. Hannes started that process this morning. His patch could probably be enhanced, IMO, to allow more flexibility in that minimum level. But, it does seem to be a good feature to consider. That patch is on the tracker and people are considering it.

http://joomlacode.org/gf/project/joomla/tracker/?action=TrackerItemEdit&tracker_item_id=15691

The truth is - anytime you have someone you do not know or someone who intends you harm, contributing content on your Web site, you are more vulnerable. Today, we live in a community-driven, collaborative social networking world - and we need to be ready for attacks. First line of defense is regular backups, but there are lots of things one can do to better protect their Web site.

As you guys - who are likely as geeky as me :-P - know, learning is important. I offer Sam Moffatt's Community Magazine Article where he explains on the first bullet how to turn off Frontend logins - or access of any kind. That is a good idea if you don't have a community Web site.

http://community.joomla.org/magazine/article/524-site-integrator-improve-the-security-of-your-joomla-administrator-sam-moffatt.html

OK - now. We can do a better job in the project and one way of doing a better job is by getting you to join us. Consider joining the Bug Squad - consider getting involved in the Development effort. Most of the time, these issues are community problems and closer involvement will help.

You have my email address. You are connected to me on Twitter. I will help you if you like you are not being heard - feel free to contact me. I will stick with you like GLUE until you get a satisfactory answer. Let's try to trust one another a bit more and work together.

Thanks,
Amy :)

PS - thanks for knowing English since my ability to speak German left many generations ago with my German ancestors.

OK - now. We can do a better job in the project and one way of doing a better job is by getting you to join us. Consider joining the Bug Squad - consider getting involved in the Development effort. Most of the time, these issues are community problems and closer involvement will help.

You have my email address. You are connected to me on Twitter. I will help you if you like you are not being heard - feel free to contact me. I will stick with you like GLUE until you get a satisfactory answer. Let's try to trust one another a bit more and work together.

If I understand the news correctly, it seems that this bug (I don't think, that this is a feature) was reported 23 days ago, so why did nobody react? Why was it necessary that someone have to write a forum post (btw. it seems the post is deleted) and a news, before the core team take action?

Very disappointing