• If you are still using CentOS 7.9, it's time to convert to Alma 8 with the free centos2alma tool by Plesk or Plesk Migrator. Please let us know your experiences or concerns in this thread:
    CentOS2Alma discussion

Mambo security flaw!

P

Panther

Guest
A security flaw was discovered in Mambo 4.5.2 and was publicized on February 20th. This is the current version that is part of the Plesk Application Pack. This vulnerability is actively being exploited! I've contacted SWsoft, but they are apparently unwilling to release an update. I highly suggest either upgrading Mambo manually or disabling it from your site.
 
Yes,

I have found this to be a MAJOR disaster!

SW-SOFT - PLEASE release a patch!

This is real:

Using mambo 4.5.2 a remote attacker was able to cause APACHE to completely shutdown and then start their own TCP connection on port 80.

I have had to disable Mambo and disallow it's use through plesk.

This has caused embarassment with my clients.

V. Unhappy!
 
I just heard back from SW-SOFT support. They now have a patch available.
 
Originally posted by mlovick
I just heard back from SW-SOFT support. They now have a patch available.
Click to expand...
Yet the last email they sent me was a link to a page describing how to build my own package so I can create an updated package myself. Thanks for the post though.

That's after they wanted to charge me an hourly fee to fix the problem to begin with.
 
What was that link please (for creating the new package).
 
No link - it was sent by email in a zip file. I am not sure why they dont publish the patch, but am grateful for it anyway. If you email support again, I am sure they will send it to you.
 
Originally posted by mlovick
No link - it was sent by email in a zip file. I am not sure why they dont publish the patch, but am grateful for it anyway. If you email support again, I am sure they will send it to you.
Click to expand...
<mutters under breath>
Them, not you. Thanks for the info. :)
 
Before everyone thinks ther're 'save' if they´ve installed a patched version of Mambo in the Application Vault: this patch doesn´t effect already installed Mambo distributions, they still have to be patched manually by the endusers.

Regards.
 
Indeed - my instructions were to patch each installation of Mambo manually.

Aparently they are not going to release a fix! The problem will be sorted out in Plesk v8

hmmm...

Does anyone use the 4PSA version of Mambo? Is that kept up to date more regularly?
 
You must log in or register to reply here.

Similar threads

C
Issue POSSIBLE DEPENDENCY CONFUSION - Security Scan
Replies
1
Views
647
chameleon
C
P
Forwarded to devs Roundcube security updates 1.3.3, 1.2.7 and 1.1.10 released
Replies
2
Views
924
IgorG
IgorG
J
How to deploy Plesk Onyx on Amazon EC2
Replies
0
Views
3K
joerg
J
L
Migrate to Plesk on AWS from Plesk, cPanel or DirectAdmin
Replies
0
Views
4K
Lukas Hertig
L
S
Critical Plesk vulnerability
Replies
6
Views
4K
IgorG
IgorG
Back
Top