[CentOS] Off-Topic Mambo Vulnerabilities & Patches

Tue Feb 28 13:36:58 UTC 2006
Ignacio Vazquez-Abrams <ivazquez at ivazquez.net>

On Tue, 2006-02-28 at 05:06 -0800, Jim Smith wrote:
> On the Mambo CMS site there are vulnerabilities found. Whilst this is
> not a CentOS problem, people rent/deploy servers (CentOS) on the net
> with Mambo. A guy in one of the user forums on the net, had his Mambo
> 4.5.2 server hacked and they installed some interesting stuff in /tmp
> . When a server is hacked it gives bad PR for the underlying OS.

If you value security and you don't know how to program in PHP then
you'll avoid Mambo entirely. I was astounded by some of the poor
decisions made by the Mambo team in writing it.

> <----announcement on http://www.mamboserver.com/----->

> If you are running an earlier version of Mambo than 4.5.3 we
> recommend that you consider upgrading.

From the 4.5.3h changelog:

"19-Dec-2005 Xxxxxxxxxx Xxxxxxx (xxxxx)
# Changed register globals emulation to default to 'On'"

So even if you set register_globals to off for security, Mambo goes
ahead and acts as if it's on anyways. Absolutely brilliant.

I've blocked out the name here, but feel free to look in the changelog
for yourself and see exactly who made that stupid-beyond-all-reason
change.

-- 
Ignacio Vazquez-Abrams <ivazquez at ivazquez.net>
http://centos.ivazquez.net/

gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.centos.org/pipermail/centos/attachments/20060228/d2c61834/attachment-0005.sig>