In association with heise online

27 May 2008, 14:13

Security update for Mambo

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

The developers of the content management system Mambo have released version 4.6.4, which fixes three security flaws. According to their security advisory, manipulated articleid and mcname parameters could be used to transmit arbitrary commands to the underlying database. For the attack to succeed the magic_quotes_gpc PHP option has to be disabled.

In addition, the developers have closed a CRLF injection hole (carriage return, line feed) that allows attackers to manipulate HTTP headers sent to users. Finally, a cross-site scripting hole has been closed in the software's MOStlyCE editor. The developers recommend that users install the new Mambo version as soon as possible.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit