On Tue, 2006-02-28 at 05:06 -0800, Jim Smith wrote: > On the Mambo CMS site there are vulnerabilities found. Whilst this is > not a CentOS problem, people rent/deploy servers (CentOS) on the net > with Mambo. A guy in one of the user forums on the net, had his Mambo > 4.5.2 server hacked and they installed some interesting stuff in /tmp > . When a server is hacked it gives bad PR for the underlying OS. If you value security and you don't know how to program in PHP then you'll avoid Mambo entirely. I was astounded by some of the poor decisions made by the Mambo team in writing it. > <----announcement on http://www.mamboserver.com/-----> > If you are running an earlier version of Mambo than 4.5.3 we > recommend that you consider upgrading. From the 4.5.3h changelog: "19-Dec-2005 Xxxxxxxxxx Xxxxxxx (xxxxx) # Changed register globals emulation to default to 'On'" So even if you set register_globals to off for security, Mambo goes ahead and acts as if it's on anyways. Absolutely brilliant. I've blocked out the name here, but feel free to look in the changelog for yourself and see exactly who made that stupid-beyond-all-reason change. -- Ignacio Vazquez-Abrams <ivazquez at ivazquez.net> http://centos.ivazquez.net/ gpg --keyserver hkp://subkeys.pgp.net --recv-key 38028b72 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 189 bytes Desc: This is a digitally signed message part URL: <http://lists.centos.org/pipermail/centos/attachments/20060228/d2c61834/attachment-0005.sig>