Numerous add-on modules threaten security of Mambo and Joomla!
Users of the Mambo content management system are finding it hard to rest easily, at least if they have add-on modules from third-party publishers running on their servers. Twelve modules have turned up during July alone with security vulnerabilities that could allow attackers to gain control of the CMS over the Net. The root of the problem is in most cases a lack of filtering of the mosConfig_absolute_path parameter. If set to the attacker's own path setting, the CMS will link to and execute any PHP script desired from local resources or external servers.
Holes have recently been described in the Mam-Moodle, MultiBanners, and MoSpray modules, joining the earlier July warnings about Mambo-SMF, VideoDB, LoudMouth, PollXT, SiteMap, SimpleBoard, phpBB (module for mambo), ExtCalendar and Galleria. The modules are not all equally well disseminated. Some are used very frequently, others only rarely.
Dedicated patches are few and far between. However, it is generally sufficient to set the PHP option register_globals = off in the php.ini file (located at Debian /etc/php4/apache/). Where needed, Mambo can also emulate the register globals function. Mambo's developers recommend adding the following line to the beginning of each add-on module.
defined( '_VALID_MOS' ) or die( 'Direct Access not allowed.' );
Joomla!, a spin-off from Mambo, is also affected by the add-on module problem. So far six vulnerable modules have been outed during July: PollXT, HashCash, JoomlaBoard, SimpleBoard, PcCookbook and perForms. The hole in perForms has already been used to infect various servers with IRC bots. The same steps used for Mambo can also help here (see above).
- List of holes in Mambo, database entries from Secunia
(ehe)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
