<<< Date Index >>>     <<< Thread Index >>>

Re: Mambo Open Source, Path disclosure



alireza hassani wrote:
> Demonstration URL :

--------------------
http://www.example.com/mambo/index.php?option=com_content&task=section&id=1&Itemid=PATH

I've just tried this on one of my "vulnerable" Mambo installations and got nothing, but the blank screen. I wonder why this happened?.. Could it be because of displaying php errors turned off as it should be done in any production environment?


Solution:
--------------------
There is no vendor-supplied patch for this issue at
this time but we are not advising you to upgrade to
Joomla because Mambo, version 4.5.3, will be released
soon ( by the end of November this year).
4.5.3 represents the new Team’s first consolidation
of bug fixes and includes a number of security
enhancements.

Isn't this "solution" somewhat overcomplicated? If someone wants to workaround this bug, it's not necessary to upgrade. It would be enough just to follow basic security principles.

--
wbr,
Vasiliy