• The BIND DNS server has already been deprecated and removed from Plesk for Windows.
    If a Plesk for Windows server is still using BIND, the upgrade to Plesk Obsidian 18.0.70 will be unavailable until the administrator switches the DNS server to Microsoft DNS. We strongly recommend transitioning to Microsoft DNS within the next 6 weeks, before the Plesk 18.0.70 release.
  • The Horde component is removed from Plesk Installer. We recommend switching to another webmail software supported in Plesk.

Mambo security flaw!

P

Panther

Guest
A security flaw was discovered in Mambo 4.5.2 and was publicized on February 20th. This is the current version that is part of the Plesk Application Pack. This vulnerability is actively being exploited! I've contacted SWsoft, but they are apparently unwilling to release an update. I highly suggest either upgrading Mambo manually or disabling it from your site.
 
Yes,

I have found this to be a MAJOR disaster!

SW-SOFT - PLEASE release a patch!

This is real:

Using mambo 4.5.2 a remote attacker was able to cause APACHE to completely shutdown and then start their own TCP connection on port 80.

I have had to disable Mambo and disallow it's use through plesk.

This has caused embarassment with my clients.

V. Unhappy!
 
I just heard back from SW-SOFT support. They now have a patch available.
 
Originally posted by mlovick
I just heard back from SW-SOFT support. They now have a patch available.
Click to expand...
Yet the last email they sent me was a link to a page describing how to build my own package so I can create an updated package myself. Thanks for the post though.

That's after they wanted to charge me an hourly fee to fix the problem to begin with.
 
What was that link please (for creating the new package).
 
No link - it was sent by email in a zip file. I am not sure why they dont publish the patch, but am grateful for it anyway. If you email support again, I am sure they will send it to you.
 
Originally posted by mlovick
No link - it was sent by email in a zip file. I am not sure why they dont publish the patch, but am grateful for it anyway. If you email support again, I am sure they will send it to you.
Click to expand...
<mutters under breath>
Them, not you. Thanks for the info. :)
 
Before everyone thinks ther're 'save' if they´ve installed a patched version of Mambo in the Application Vault: this patch doesn´t effect already installed Mambo distributions, they still have to be patched manually by the endusers.

Regards.
 
Indeed - my instructions were to patch each installation of Mambo manually.

Aparently they are not going to release a fix! The problem will be sorted out in Plesk v8

hmmm...

Does anyone use the 4PSA version of Mambo? Is that kept up to date more regularly?
 
You must log in or register to reply here.

Similar threads

Heinrich
Resolved node.js configuration in PLESK Obsidian 18.0.67 Update Nr. 3
Replies
3
Views
490
alvarezcruz
alvarezcruz
michaeljoseph01
Question Imunify360 or fail2ban PLEASE give me your input
Replies
6
Views
4K
The 8th
The 8th
C
Issue POSSIBLE DEPENDENCY CONFUSION - Security Scan
Replies
1
Views
1K
chameleon
C
P
Forwarded to devs Roundcube security updates 1.3.3, 1.2.7 and 1.1.10 released
Replies
2
Views
1K
IgorG
IgorG
V
Critical Kernel flaw discovered – Update your server
Replies
0
Views
1K
viktor
V
Back
Top