Joomla! Forum - community, help and support

TITLE:
Mambo MGM Component File Inclusion Vulnerability

SECUNIA ADVISORY ID:
SA21268

VERIFY ADVISORY:
http://secunia.com/advisories/21268/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
MGM 0.x (component for Mambo)
http://secunia.com/product/11201/

DESCRIPTION:
A-S-T TEAM has discovered a vulnerability in the MGM component for
Mambo, which can be exploited by malicious people to compromise a
vulnerable system.

Input passed to the "mosConfig_absolute_path" parameter in
administrator/components/com_mgm/help.mgm.php is not properly
verified before being used to include files. This can be exploited to
execute arbitrary PHP code by including files from local or external
resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 0.95r2 and reported
in version 0.95r3. Other versions may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off".

PROVIDED AND/OR DISCOVERED BY:
A-S-T TEAM

ORIGINAL ADVISORY:
http://milw0rm.com/exploits/2084

com_mgm is Mambo Gallery Manager. It appears to have been abandoned over a year ago so if anyone is using it I recommend you delete it completely and find something else that is under active development.

Thanks for the information, adding to the official list.

Elpie wrote: com_mgm is Mambo Gallery Manager. It appears to have been abandoned over a year ago so if anyone is using it I recommend you delete it completely and find something else that is under active development.

I'm not sure this is accurate.  There's a version 0.96 out there renamed Joomla Gallery Manager.  I can't speak to the security status though - anyone know for sure?

aserdaten wrote: I'm not sure this is accurate.  There's a version 0.96 out there renamed Joomla Gallery Manager.  I can't speak to the security status though - anyone know for sure?

The one that has had exploits so far has been Mambo Gallery Manager, specifically in version 0.95r2.
Mambo Gallery Manager is an abandoned project. 

If you really do doubt the accuracy of my report all you have to do is go to security sites yourself to confirm it. mamboturk has given you links to two of them

Elpie wrote:

aserdaten wrote: I'm not sure this is accurate.  There's a version 0.96 out there renamed Joomla Gallery Manager.  I can't speak to the security status though - anyone know for sure?

The one that has had exploits so far has been Mambo Gallery Manager, specifically in version 0.95r2.
Mambo Gallery Manager is an abandoned project. 

If you really do doubt the accuracy of my report all you have to do is go to security sites yourself to confirm it. mamboturk has given you links to two of them

In the interests of being polite perhaps I was insufficiently direct.  The inaccuracy, or at least incomplete accuracy, of your report is not in question.  There is a release numbered 0.96 RC1, called "Joomla Gallery Manager", and that release came out less than a year ago, in October.  A user named Macinhouse picked up development where Marco Antonio Regueira left off.  There is still an active message board thread about it here.

The question I have is whether or not the 0.96 RC1 release suffers from the same vulnerability as the earlier versions.  My guess is that it does suffer from that vulnerability, but I was hoping for an answer from someone actually familiar with 0.96 RC1.  With all due respect, you are obviously not that person.

So if anyone has a serious and knowledgeable response to my question, I would be very grateful to hear it.

Why are you asking about a different product in this thread? If you have concerns about another 3PD script, the best place to ask is in the thread for that script or directly to the developer concerned.

Whether I am familiar with the Joomla component or not is not the topic of this thread which is about the MAMBO GALLERY MANAGER.

I have already sent an email to the developer of the Joomla port about the security issue in question, since it is hosted on Forge. I don't know if he is actively developing the port at the moment.

Thank you, Tonie.

So did anyone identify if 0.96 is affected>  Elpie, why the rather short response to the original poster.  Renaming a piece of code doesn't make it a new piece of code.

iainshaw wrote: So did anyone identify if 0.96 is affected>  Elpie, why the rather short response to the original poster.  Renaming a piece of code doesn't make it a new piece of code.

Ian, the topic of this thread is the Mambo MGM Component. It is clearly about vulnerabilities in the now-abandoned Mambo script and relates to  versions 0.95r2 and 0.95r3. At time of writing, I stated that the Mambo script had not been updated in over a year. The poster who raised the issue of whether Joomla Gallery Manager was also affected clearly did not read the original post in this thread but chose instead to say that he doubted the accuracy of my report. I merely emphasised that the thread topic is about the Mambo component. 

A followup on the Joomla version. There has been one release of the Joomla version, looking at the description it is a port only. As stated before, I sent an email to the developer. I haven't received anything back in ten days now. The Joomla version of MGM has therefore been set to "project member access only".

Elpie, I think you're doing great work here.  And my reply was rather lazy.  I've had a look at MGM 0.96 RC1 and I'd say it has the same vulnerability.  Damn!

Too bad... MGM is great, it does things that no other component does... It looks like the solution to the problem is quite easy

The security issues in question have been fixed, the project is also visible again here: http://forge.joomla.org/sf/frs/do/viewS ... anager/frs

Thanks a lot for the information Tonie, I really appreciate to be able to continue using MGM

Will change the title of the topic to reflect this.

Tonie wrote: The security issues in question have been fixed, the project is also visible again here: http://forge.joomla.org/sf/frs/do/viewS ... anager/frs

Umm, System message says:

http://forge.joomla.org/sf/frs/do/selec ... rity_patch
The page you requested cannot be found.

I really liked the way this Gallery worked so if it is now safe to use that would be great. I really don't want to have to learn another Gallery unless it is just a simple to set up and get working as this one was.

MGM is back in action - they released a patch in December 2007, MGM v0.96 patch level 2:

http://www.macinhouse.com/mgm/component ... /Itemid,1/

-Eddie