Re: Mambo Open Source, Path disclosure

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Mambo Open Source, Path disclosure
From: Vasiliy <security@xxxxxxxx>
Date: Sat, 05 Nov 2005 15:52:27 +0300
In-reply-to: <20051102172806.26683.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <20051102172806.26683.qmail@xxxxxxxxxxxxxxxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0.7 (Windows/20050923)

alireza hassani wrote:
> Demonstration URL :

--------------------
http://www.example.com/mambo/index.php?option=com_content&task=section&id=1&Itemid=PATH

I've just tried this on one of my "vulnerable" Mambo installationsand got nothing, but the blank screen. I wonder why this happened?..Could it be because of displaying php errors turned off as it should bedone in any production environment?

Solution:
--------------------
There is no vendor-supplied patch for this issue at
this time but we are not advising you to upgrade to
Joomla because Mambo, version 4.5.3, will be released
soon ( by the end of November this year).
4.5.3 represents the new Teamâ€™s first consolidation
of bug fixes and includes a number of security

enhancements.

Isn't this "solution" somewhat overcomplicated? If someone wants toworkaround this bug, it's not necessary to upgrade. It would be enoughjust to follow basic security principles.


--
wbr,
Vasiliy

References:
- Mambo Open Source, Path disclosure
  - From: alireza hassani

Prev by Date: Sql injection in ibProArcade
Next by Date: Zoomblog <IMG> BBCode Tag JavaScript Injection Vulnerability
Previous by thread: Mambo Open Source, Path disclosure
Next by thread: Re: Re: Mambo Open Source, Path disclosure
Index(es):
- Date
- Thread