Comment 1 Robert Buchholz (RETIRED) 2007-12-22 21:32:48 UTC

Web-apps, please advise.

Comment 2 Robert Buchholz (RETIRED) 2008-01-05 00:29:56 UTC

4.6.3 does not fix this.

Comment 3 Gunnar Wrobel (RETIRED) 2008-01-08 07:17:50 UTC

Are you certain that 4.6.3 is still vulnerable to this?

I tried to reproduce the problem but was unable to confirm the XSS with 4.6.3. Looking at the code gave me the impression that both "option" and "Itemid" are properly sanitized in 4.6.3.

This was just a quick glimpse so I'm not 100% certain but I thought I ask for a reference that identifies this problem as being unsolved before going deeper.

Comment 4 Robert Buchholz (RETIRED) 2008-01-08 23:29:27 UTC

I did not independently research this, but Secunia updated their advisory avialable here:
  http://secunia.com/advisories/28133

ChangeLog states:
2007-12-27: Updated "Description" section to include version 4.6.3 as vulnerable.

I'll contact them.

Comment 5 Gunnar Wrobel (RETIRED) 2008-01-09 05:35:19 UTC

Okay, then I'm probably wrong and it still exists. I only checked the URLs given in http://www.securityfocus.com/archive/1/archive/1/485257/100/0/threaded but I used Firefox for that. I did not see the Secunia information.

Can somebody else check this with Internet Explorer 6?

Comment 6 Robert Buchholz (RETIRED) 2008-01-15 15:13:04 UTC

Secunia confirmed the vulnerabilities still exist when using Konqueror for example. I don't have a Mambo installation ready to test.

Comment 7 Benedikt Böhm (RETIRED) 2008-02-23 14:46:26 UTC

this may be subject to security mask too, CVE history is just too long to not mask this ... bug 211166

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) 2008-02-24 13:23:30 UTC

It's up to the web-apps wether to mask this one.

Comment 9 Benedikt Böhm (RETIRED) 2008-02-24 20:24:50 UTC

this is basically the same codebase as joomla, so the same procedure applies .. masked

Comment 10 Pierre-Yves Rofes (RETIRED) 2008-07-20 16:31:21 UTC

"more issues with mambo" : http://secunia.com/advisories/30685/
this is CVE-2008-2905, no fix available atm.

(In reply to comment #9)
> this is basically the same codebase as joomla, so the same procedure applies ..
> masked
> 
Mambo 4.6.x is quite different to Joomla 1.0.x and has had very few vulnerabilities. 

CVE-2007-6455 was not able to be reproduced in Mambo 4.6.3 however further hardening was done with Mambo 4.6.4. 

CVE-2008-2905 was reported by Mambo when it was discovered and Mambo 4.6.5 released almost immediately. 

Currently, there are multiple new reports of vulnerabilities in Mambo 4.6.2 possibly due to people not reading the news announcements on sourceforge. New releases of Mambo are made on the Mambo forge at http://mambo-code.org

Comment 12 Christian Faulhammer (RETIRED) 2010-01-11 08:27:42 UTC

There have been no updates to Mambo in more than two years.  Maybe we should treeclean it.

Comment 13 Stefan Behte (RETIRED) 2010-03-06 16:24:58 UTC

PLEASE!

Comment 14 Benedikt Böhm (RETIRED) 2010-03-07 12:59:45 UTC

removed