On the Mambo CMS site there are vulnerabilities found. Whilst this is not a CentOS problem, people rent/deploy servers (CentOS) on the net with Mambo. A guy in one of the user forums on the net, had his Mambo 4.5.2 server hacked and they installed some interesting stuff in /tmp . When a server is hacked it gives bad PR for the underlying OS. <----announcement on http://www.mamboserver.com/-----> Investigations by GulfTech Research And Development have revealed a long standing weakness in Mambo that could allow a hacker to compromise sites built on Mambo. The firms findings will be published in about a week's time. The Mambo development team has created fixes for versions 4.5.3 and 4.5.3h. The new patch files can be found at MamboXchange The patch packages are delivered in both ZIP and TAR.GZ formats - select whichever is right for you. Each package contains two files - content.php and mambo.php. These should replace the corresponding files in your existing installation, as follows: (1) The first file (content.php) should be used to overwrite this file:/components/com_content/content.php. (2) The second file (mambo.php) should be used to overwrite this file: /includes/mambo.php. If you are running an earlier version of Mambo than 4.5.3 we recommend that you consider upgrading. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
On Tue, 2006-02-28 at 05:06 -0800, Jim Smith wrote:> On the Mambo CMS site there are vulnerabilities found. Whilst this is > not a CentOS problem, people rent/deploy servers (CentOS) on the net > with Mambo. A guy in one of the user forums on the net, had his Mambo > 4.5.2 server hacked and they installed some interesting stuff in /tmp > . When a server is hacked it gives bad PR for the underlying OS.---- it seems that CMS systems, by their very nature, and certainly by historical evidence, are high maintenance items. Craig
Ignacio Vazquez-Abrams
2006-Feb-28 13:36 UTC
[CentOS] Off-Topic Mambo Vulnerabilities & Patches
On Tue, 2006-02-28 at 05:06 -0800, Jim Smith wrote:> On the Mambo CMS site there are vulnerabilities found. Whilst this is > not a CentOS problem, people rent/deploy servers (CentOS) on the net > with Mambo. A guy in one of the user forums on the net, had his Mambo > 4.5.2 server hacked and they installed some interesting stuff in /tmp > . When a server is hacked it gives bad PR for the underlying OS.If you value security and you don't know how to program in PHP then you'll avoid Mambo entirely. I was astounded by some of the poor decisions made by the Mambo team in writing it.> <----announcement on http://www.mamboserver.com/----->> If you are running an earlier version of Mambo than 4.5.3 we > recommend that you consider upgrading.From the 4.5.3h changelog: "19-Dec-2005 Xxxxxxxxxx Xxxxxxx (xxxxx) # Changed register globals emulation to default to 'On'" So even if you set register_globals to off for security, Mambo goes ahead and acts as if it's on anyways. Absolutely brilliant. I've blocked out the name here, but feel free to look in the changelog for yourself and see exactly who made that stupid-beyond-all-reason change. -- Ignacio Vazquez-Abrams <ivazquez at ivazquez.net> http://centos.ivazquez.net/ gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20060228/d2c61834/attachment-0001.sig>
This has been assigned, CVE-2006-0871 on http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2006-0871 http://secunia.com/advisories/18935/ has some interesting details and the requirement for "magic_quotes_gpc" is disabled for the Mambo SQL Injection and File Inclusion Vulnerabilities. While Mambo and VBulletin do suffer from vulnerabilities, (probably once per year), they have a better security record than phpbb/phpnuke which have vulnerabilities/incidents upto 4 times per year. Some hosts ban phpbb from their servers. __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Kanwar Ranbir Sandhu
2006-Feb-28 18:05 UTC
[CentOS] Off-Topic Mambo Vulnerabilities & Patches
On Tue, 2006-28-02 at 08:36 -0500, Ignacio Vazquez-Abrams wrote:> If you value security and you don't know how to program in PHP then > you'll avoid Mambo entirely. I was astounded by some of the poor > decisions made by the Mambo team in writing it.I've migrated my stuff from Mambo to Joomla (basically a fork of Mambo). I'm not sure if it's more secure than Mambo, but I do know the devs have made improvements. Regards, Ranbir -- Kanwar Ranbir Sandhu Linux 2.6.15-1.1831_FC4 i686 GNU/Linux 13:03:51 up 18:32, 2 users, load average: 0.16, 0.72, 0.79