View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0000098 | website | website | public | 2003-12-11 22:54 | 2003-12-12 08:30 |
Reporter | herrold | ||||
Priority | low | Severity | minor | Reproducibility | always |
Status | resolved | Resolution | fixed | ||
Platform | Other | OS | other | OS Version | |
Product Version | unspecified | ||||
Target Version | Fixed in Version | ||||
Summary | 0000098: PRIVATE: [SCSA-023] Multiple vulnerabilities in Mambo Server | ||||
Description | Security Corporation Security Advisory [SCSA-023] Multiple vulnerabilities in Mambo Server ====================================================================== PROGRAM: Mambo Server HOMEPAGE: http://www.mamboserver.com VULNERABLE VERSIONS: 4.0.14 and 4.5 Beta 1.0.3 RISK: Low/MEDIUM IMPACT: Redefining of configuration variables Change of members's and administrator's informations RELEASE DATE: 2003-12-10 You can found patchs at the following link : http://www.phpsecure.info The creator (Robert Castley) was notified, published a patch 2 for version 4.0.1 (works only if the patch 1 was installed) and a Beta 1.0.14 version 4.5 was published for the vulnerabilities of 1.0.13. . DISCLOSURE TIMELINE ====================================================================== 25/11/2003 Vulnerability discovered 25/11/2003 Vendor notified 25/11/2003 Vendor response 25/11/2003 Security Corporation clients notified 28/11/2003 Started e-mail discussions 09/12/2003 Last e-mail received 10/12/2003 Public disclosure 7. CREDITS ====================================================================== frog-m@n <frog-man@security-corporation.com> is credited with this discovery | ||||
Tags | No tags attached. | ||||
Does this include the later post: Mambo Open Source 4.0.14 SQL injection There hasn't been any input validation for the variable artid. An attacker can thus insert his own sql query and get the administrator md5 pass from mod_users table and use it in cookie to gain admin access to the Mamboo CMS system. |
|
Lance update with wrappers: n response to the previous message I have changed apache config on www.caosity.org to only allow access to /administrator from specific listed ip addresses. They are :- 128.3.10.49 gmkurtzer 62.245.38.17 lsd office 62.245.38.33 lsd home 65.64.190.32 mpirun adsl in addition 63.207.100.120 has accessed it in the past days but as I dont know who it is I havent added it. |
|
I'm not at all impressed with the fact that the 'patches' are not published or mentioned on mambo website, but phpsecure, and they are not signed by mambo developers ... So I downloaded them from www.sourceforge.net/mambo It surprises me that they havent issued a new point release including the patches, whats the point of letting people install the insecure version ??? www.caosity.org now patched |
|
aha :- 63.207.100.120 == gmk_laptop added |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2003-12-11 23:32 | lance@uklinux.net | Status | NEW => ASSIGNED |
2003-12-12 03:30 | lance@uklinux.net | Status | ASSIGNED => RESOLVED |
2003-12-12 03:30 | lance@uklinux.net | Resolution | => FIXED |