Security update for Mambo
The developers of the content management system Mambo have released version 4.6.4, which fixes three security flaws. According to their security advisory, manipulated articleid
and mcname
parameters could be used to transmit arbitrary commands to the underlying database. For the attack to succeed the magic_quotes_gpc
PHP option has to be disabled.
In addition, the developers have closed a CRLF injection hole (carriage return, line feed) that allows attackers to manipulate HTTP headers sent to users. Finally, a cross-site scripting hole has been closed in the software's MOStlyCE editor. The developers recommend that users install the new Mambo version as soon as possible.
See also:
- Please upgrade your sites to Mambo 4.6.4, press release from the developers of Mambo
(mba)