[SGVLUG] Mambo

serross serross at ix.netcom.com
Fri Jul 8 20:28:33 PDT 2005 

This sounds like we would need some program/person to sanitize the list.
SER

Manuel Fernandes wrote:

> FYI: is the http://sgvlug.laurences.net/mambo/ site on 4.5.2.2?
>
>
> 48. Mambo Open Source Multiple Unspecified Injection Vulnerabilities
> BugTraq ID: 14117
> Remote: Yes
> Date Published: 2005-06-30
> Relevant URL: http://www.securityfocus.com/bid/14117
> Summary:
> Mambo is prone to multiple unspecified injection vulnerabilities.  
> These issues are most likely due to a failure in the application to 
> properly sanitize user-supplied input.
>
> Successful exploitation of these vulnerabilities could lead to 
> unauthorized access; other attacks may also be possible.
>
> The vendor has addressed these issues in Mambo version 4.5.2.2 and 
> later; earlier versions are reported vulnerable.
>
> 49. Mambo Open Source Session ID Spoofing Vulnerability
> BugTraq ID: 14119
> Remote: Yes
> Date Published: 2005-06-30
> Relevant URL: http://www.securityfocus.com/bid/14119
> Summary:
> Mambo is prone to a session ID spoofing vulnerability.  This issue is 
> due to a failure in the application to properly sanitize user-supplied 
> input.
>
> The vendor has addressed this issue in Mambo 4.5.2.2 and later; 
> earlier versions are reported vulnerable.
>
>
>
> 50. Mambo Open Source MosDBTable Class Unspecified Vulnerability
> BugTraq ID: 14120
> Remote: Yes
> Date Published: 2005-06-30
> Relevant URL: http://www.securityfocus.com/bid/14120
> Summary:
> Mambo is prone to an unspecified vulnerability. Vendor reports 
> indicate that the issue exists due to a problem with the bind method 
> in the Mambo mosDBTable class.
>
> The potential impact of this issue is currently unknown. This BID will 
> be updated when further information is made available.
>
>


-- 

******************************************
The information contained in, or attached to, this e-mail,
may contain confidential information and is intended 
solely for the use of the individual or entity to whom 
they are addressed. If you have received this e-mail in
error you should notify the sender immediately by reply
e-mail, delete the message from your system and notify 
your system manager. Please do not copy it for any purpose,
or disclose its contents to any other person. The views
or opinions presented in this e-mail are solely those of
the author. 
******************************************

More information about the SGVLUG mailing list