Bug 203084

Summary:	www-apps/mambo security status
Product:	Gentoo Security	Reporter:	Robert Buchholz (RETIRED) <rbu>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	enhancement	CC:	fauli, lpope, web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	http://www.securityfocus.com/archive/1/archive/1/485257/100/0/threaded
Whiteboard:	~4 [masked]
Package list:		Runtime testing required:	---
Bug Depends on:
Bug Blocks:	211166

Description Robert Buchholz (RETIRED) gentoo-dev

2007-12-22 21:31:40 UTC

CVE-2007-6455 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-6455):
  Multiple cross-site scripting (XSS) vulnerabilities in index.php in Mambo
  4.6.2 allow remote attackers to inject arbitrary web script or HTML via the
  (1) Itemid parameter in a com_frontpage option and the (2) option parameter.

Comment 1 Robert Buchholz (RETIRED) gentoo-dev

2007-12-22 21:32:48 UTC

Web-apps, please advise.

Comment 2 Robert Buchholz (RETIRED) gentoo-dev

2008-01-05 00:29:56 UTC

4.6.3 does not fix this.

Comment 3 Gunnar Wrobel (RETIRED) gentoo-dev

2008-01-08 07:17:50 UTC

Are you certain that 4.6.3 is still vulnerable to this?

I tried to reproduce the problem but was unable to confirm the XSS with 4.6.3. Looking at the code gave me the impression that both "option" and "Itemid" are properly sanitized in 4.6.3.

This was just a quick glimpse so I'm not 100% certain but I thought I ask for a reference that identifies this problem as being unsolved before going deeper.

Comment 4 Robert Buchholz (RETIRED) gentoo-dev

2008-01-08 23:29:27 UTC

I did not independently research this, but Secunia updated their advisory avialable here:
  http://secunia.com/advisories/28133

ChangeLog states:
2007-12-27: Updated "Description" section to include version 4.6.3 as vulnerable.

I'll contact them.

Comment 5 Gunnar Wrobel (RETIRED) gentoo-dev

2008-01-09 05:35:19 UTC

Okay, then I'm probably wrong and it still exists. I only checked the URLs given in http://www.securityfocus.com/archive/1/archive/1/485257/100/0/threaded but I used Firefox for that. I did not see the Secunia information.

Can somebody else check this with Internet Explorer 6?

Comment 6 Robert Buchholz (RETIRED) gentoo-dev

2008-01-15 15:13:04 UTC

Secunia confirmed the vulnerabilities still exist when using Konqueror for example. I don't have a Mambo installation ready to test.

Comment 7 Benedikt Böhm (RETIRED) gentoo-dev

2008-02-23 14:46:26 UTC

this may be subject to security mask too, CVE history is just too long to not mask this ... bug 211166

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2008-02-24 13:23:30 UTC

It's up to the web-apps wether to mask this one.

Comment 9 Benedikt Böhm (RETIRED) gentoo-dev

2008-02-24 20:24:50 UTC

this is basically the same codebase as joomla, so the same procedure applies .. masked

Comment 10 Pierre-Yves Rofes (RETIRED) gentoo-dev

2008-07-20 16:31:21 UTC

"more issues with mambo" : http://secunia.com/advisories/30685/
this is CVE-2008-2905, no fix available atm.

Comment 11 Lynne Pope 2008-08-24 16:27:22 UTC

(In reply to comment #9)
> this is basically the same codebase as joomla, so the same procedure applies ..
> masked
> 
Mambo 4.6.x is quite different to Joomla 1.0.x and has had very few vulnerabilities. 

CVE-2007-6455 was not able to be reproduced in Mambo 4.6.3 however further hardening was done with Mambo 4.6.4. 

CVE-2008-2905 was reported by Mambo when it was discovered and Mambo 4.6.5 released almost immediately. 

Currently, there are multiple new reports of vulnerabilities in Mambo 4.6.2 possibly due to people not reading the news announcements on sourceforge. New releases of Mambo are made on the Mambo forge at http://mambo-code.org

Comment 12 Christian Faulhammer (RETIRED) gentoo-dev

2010-01-11 08:27:42 UTC

There have been no updates to Mambo in more than two years.  Maybe we should treeclean it.

Comment 13 Stefan Behte (RETIRED) gentoo-dev

2010-03-06 16:24:58 UTC

PLEASE!

Comment 14 Benedikt Böhm (RETIRED) gentoo-dev

2010-03-07 12:59:45 UTC

removed