Joomla! Discussion Forums

2006-02-21 - Joomla! 1.0.x is not affected by recent Mambo Vulnerability

There is some concern in the community about the recent Vunerability that affects the Mambo codebase as announced on the Mambo homepage and here:
http://forum.mamboserver.com/showthread ... post335532

Our internal testing and direct contact with GulfTech Research And Development - the discoverer of the Mambo vunerability - has confirmed that the vunerability does NOT affect the Joomla! 1.0.x codebase.  This security weakness was addressed in Joomla! 1.0.0

However, you need to ensure that you are at least be running Joomla! 1.0.4, as 1.0.3 and below are vulnerable to an unrelated Critical Level security threat as explained in the 1.0.4 release article:
http://www.joomla.org/content/view/498/74/
Critical is Joomla! highest security rating and represents a security vulnerability that can lead to a site loss.

1.0.8 will be out very shortly and all Joomla! users should upgrade to this version.


This is a direct copy of my blog post here:
http://dev.joomla.org/component/option, ... d,33/p,35/

2006-02-20 - Joomla not affected by report about Linux worm targetting Mambo

There is some concern in the community about recent reports over the Electronic press about a Linux worm that utilizes a security flaw in Mambo reported by F-Secure, as can be seen by these 2 reports:
http://www.theregister.co.uk/2006/02/20/linux_worm/
http://www.infoworld.com/article/06/02/ ... 2006-02-27



This is an OLD vulnerability.
This vunerability does NOT affect the latest versions of Mambo or Joomla!
It also has NOTHING to do with a recent vulnerability in Mambo found by Gulftech, which I blogged here:
http://dev.joomla.org/component/option, ... d,33/p,35/

This vulnerability only affects Mambo 4.5.2.0 and was fixed in Mambo 4.5.2.1 on 25th of February 2005:
http://secunia.com/advisories/14337



This means this is a bug now a year old. The only way this vunerability can be exploited is if you are using Mambo 4.5.2.0 - if you are you MUST upgrade to the latest version of Mambo, which is Mambo 4.5.3h + security patch 1. Otherwise I would suggest migrating to Joomla 1.0.7, the instructions for which can be found here:
http://help.joomla.org/content/view/818/132/



This is an exact copy of my blog here:
http://dev.joomla.org/component/option, ... d,33/p,36/

2006-03-13 - Joomla! 1.0.3 and below is vulnerable to a CRITICAL Security flaw
If you are running Joomla! 1.0.3, 1.0.2, 1.0.1 or 1.0.0 then you MUST upgrade to at LEAST 1.0.4

Joomla! 1.0.3 and below are vulnerable to a CRITCIAL LEVEL security threat.
Critical is the highest security rating we give to a vulnerability.

This vulnerability can lead to your site being hacked/attacked by malicious users and lead to a loss of control of your site.
There have been confirmed reports of sites running these versions of Joomla! being attacked by this vulnerability and there are automated scripts that parse the internet and automatically test sites for this vulnerability - even non-joomla sites.

We highly recommend you upgrade to the latest version of Joomla!:
http://www.joomla.org/content/blogcategory/32/66/

The succeeding versions of Joomla! have additional lower level security fixes.

In all Joomla! versions up to 1.0.9 there have been two security vulnerabilities. One of these was a High Level Security threat, therefore we strongly advise you to upgrade to at least 1.0.10!!

Vulnerabilities:

SQL Injection into Weblinks component
This vulnerability is of a very critical nature and could allow people direct access to your site. This also affects your site when the component is not published! Read more about it here. This has been fixed in Joomla! 1.0.10!

XSS Cross-Site Scripting vulnerability
This is a Low Level security threat. Read more about it here

We highly recommend you upgrade to the latest version of Joomla!:
http://www.joomla.org/content/blogcategory/32/66/

The succeeding versions of Joomla! have additional lower level security fixes.