[41044] in bugtraq
Re: Mambo Open Source, Path disclosure
daemon@ATHENA.MIT.EDU (Vasiliy)
Sat Nov 5 15:07:51 2005
Message-ID: <436CAB0B.5030109@gugol.ru>
Date: Sat, 05 Nov 2005 15:52:27 +0300
From: Vasiliy <security@gugol.ru>
MIME-Version: 1.0
To: bugtraq@securityfocus.com
In-Reply-To: <20051102172806.26683.qmail@web51001.mail.yahoo.com>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
alireza hassani wrote:
> Demonstration URL :
> --------------------
> http://www.example.com/mambo/index.php?option=com_content&task=section&id=1&Itemid=PATH
I've just tried this on one of my "vulnerable" Mambo installations
and got nothing, but the blank screen. I wonder why this happened?..
Could it be because of displaying php errors turned off as it should be
done in any production environment?
> Solution:
> --------------------
> There is no vendor-supplied patch for this issue at
> this time but we are not advising you to upgrade to
> Joomla because Mambo, version 4.5.3, will be released
> soon ( by the end of November this year).
> 4.5.3 represents the new Team’s first consolidation
> of bug fixes and includes a number of security
> enhancements.
Isn't this "solution" somewhat overcomplicated? If someone wants to
workaround this bug, it's not necessary to upgrade. It would be enough
just to follow basic security principles.
--
wbr,
Vasiliy
