1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Mambo security flaw!

Discussion in 'Plesk for Linux - 8.x and Older' started by Panther, Feb 26, 2006.

  1. Panther

    Panther Guest

    0
     
    A security flaw was discovered in Mambo 4.5.2 and was publicized on February 20th. This is the current version that is part of the Plesk Application Pack. This vulnerability is actively being exploited! I've contacted SWsoft, but they are apparently unwilling to release an update. I highly suggest either upgrading Mambo manually or disabling it from your site.
     
  2. mlovick

    mlovick Guest

    0
     
    Yes,

    I have found this to be a MAJOR disaster!

    SW-SOFT - PLEASE release a patch!

    This is real:

    Using mambo 4.5.2 a remote attacker was able to cause APACHE to completely shutdown and then start their own TCP connection on port 80.

    I have had to disable Mambo and disallow it's use through plesk.

    This has caused embarassment with my clients.

    V. Unhappy!
     
  3. mlovick

    mlovick Guest

    0
     
    I just heard back from SW-SOFT support. They now have a patch available.
     
  4. Panther

    Panther Guest

    0
     
    Yet the last email they sent me was a link to a page describing how to build my own package so I can create an updated package myself. Thanks for the post though.

    That's after they wanted to charge me an hourly fee to fix the problem to begin with.
     
  5. mlovick

    mlovick Guest

    0
     
    What was that link please (for creating the new package).
     
  6. Panther

    Panther Guest

    0
     
  7. mlovick

    mlovick Guest

    0
     
    No link - it was sent by email in a zip file. I am not sure why they dont publish the patch, but am grateful for it anyway. If you email support again, I am sure they will send it to you.
     
  8. Panther

    Panther Guest

    0
     
    <mutters under breath>
    Them, not you. Thanks for the info. :)
     
  9. rembrandt

    rembrandt Guest

    0
     
    Before everyone thinks ther're 'save' if they´ve installed a patched version of Mambo in the Application Vault: this patch doesn´t effect already installed Mambo distributions, they still have to be patched manually by the endusers.

    Regards.
     
  10. mlovick

    mlovick Guest

    0
     
    Indeed - my instructions were to patch each installation of Mambo manually.

    Aparently they are not going to release a fix! The problem will be sorted out in Plesk v8

    hmmm...

    Does anyone use the 4PSA version of Mambo? Is that kept up to date more regularly?
     
Loading...