[ABANDONED] Mambo MGM Vulnerability --> Joomla fork with fixes available

For all Non-Joomla! security issues. ie 3pd Components etc.
joomlaturk
Joomla! Explorer
Joomla! Explorer
Posts: 469
Joined: Thu Aug 18, 2005 10:40 pm
Location: las vegas USA
Contact:

[ABANDONED] Mambo MGM Vulnerability --> Joomla fork with fixes available

Postby joomlaturk » Mon Jul 31, 2006 2:46 pm

TITLE:
Mambo MGM Component File Inclusion Vulnerability

SECUNIA ADVISORY ID:
SA21268

VERIFY ADVISORY:
http://secunia.com/advisories/21268/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
MGM 0.x (component for Mambo)
http://secunia.com/product/11201/

DESCRIPTION:
A-S-T TEAM has discovered a vulnerability in the MGM component for
Mambo, which can be exploited by malicious people to compromise a
vulnerable system.

Input passed to the "mosConfig_absolute_path" parameter in
administrator/components/com_mgm/help.mgm.php is not properly
verified before being used to include files. This can be exploited to
execute arbitrary PHP code by including files from local or external
resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 0.95r2 and reported
in version 0.95r3. Other versions may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off".

PROVIDED AND/OR DISCOVERED BY:
A-S-T TEAM

ORIGINAL ADVISORY:
http://milw0rm.com/exploits/2084
Last edited by Tonie on Wed Sep 20, 2006 2:13 pm, edited 1 time in total.
joomla 1.6 Türk destek sitesi http://www.joomlaturk.net/

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Mambo Gallery Manager

Postby Elpie » Tue Aug 01, 2006 12:13 am

com_mgm is Mambo Gallery Manager. It appears to have been abandoned over a year ago so if anyone is using it I recommend you delete it completely and find something else that is under active development.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
RobS
Joomla! Ace
Joomla! Ace
Posts: 1367
Joined: Mon Dec 05, 2005 10:17 am
Location: New Orleans, LA, USA
Contact:

Re: [ABANDONED] Mambo MGM Component File Inclusion Vulnerability

Postby RobS » Tue Aug 01, 2006 5:16 am

Thanks for the information, adding to the official list.
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions

aserdaten
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Wed Aug 02, 2006 10:01 pm

Re: Mambo Gallery Manager

Postby aserdaten » Wed Aug 02, 2006 10:05 pm

Elpie wrote:com_mgm is Mambo Gallery Manager. It appears to have been abandoned over a year ago so if anyone is using it I recommend you delete it completely and find something else that is under active development.


I'm not sure this is accurate.  There's a version 0.96 out there renamed Joomla Gallery Manager.  I can't speak to the security status though - anyone know for sure?

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: Mambo Gallery Manager

Postby Elpie » Thu Aug 03, 2006 12:59 am

aserdaten wrote:I'm not sure this is accurate.  There's a version 0.96 out there renamed Joomla Gallery Manager.  I can't speak to the security status though - anyone know for sure?


The one that has had exploits so far has been Mambo Gallery Manager, specifically in version 0.95r2.
Mambo Gallery Manager is an abandoned project. 

If you really do doubt the accuracy of my report all you have to do is go to security sites yourself to confirm it. mamboturk has given you links to two of them ;)
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

aserdaten
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Wed Aug 02, 2006 10:01 pm

Re: Mambo Gallery Manager

Postby aserdaten » Thu Aug 03, 2006 2:58 am

Elpie wrote:
aserdaten wrote:I'm not sure this is accurate.  There's a version 0.96 out there renamed Joomla Gallery Manager.  I can't speak to the security status though - anyone know for sure?


The one that has had exploits so far has been Mambo Gallery Manager, specifically in version 0.95r2.
Mambo Gallery Manager is an abandoned project. 

If you really do doubt the accuracy of my report all you have to do is go to security sites yourself to confirm it. mamboturk has given you links to two of them ;)



In the interests of being polite perhaps I was insufficiently direct.  The inaccuracy, or at least incomplete accuracy, of your report is not in question.  There is a release numbered 0.96 RC1, called "Joomla Gallery Manager", and that release came out less than a year ago, in October.  A user named Macinhouse picked up development where Marco Antonio Regueira left off.  There is still an active message board thread about it here.

The question I have is whether or not the 0.96 RC1 release suffers from the same vulnerability as the earlier versions.  My guess is that it does suffer from that vulnerability, but I was hoping for an answer from someone actually familiar with 0.96 RC1.  With all due respect, you are obviously not that person.

So if anyone has a serious and knowledgeable response to my question, I would be very grateful to hear it.

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [ABANDONED] Mambo MGM Component File Inclusion Vulnerability

Postby Elpie » Thu Aug 03, 2006 6:59 am

Why are you asking about a different product in this thread? If you have concerns about another 3PD script, the best place to ask is in the thread for that script or directly to the developer concerned.

Whether I am familiar with the Joomla component or not is not the topic of this thread which is about the MAMBO GALLERY MANAGER.
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: [ABANDONED] Mambo MGM Component File Inclusion Vulnerability

Postby Tonie » Thu Aug 03, 2006 7:11 am

I have already sent an email to the developer of the Joomla port about the security issue in question, since it is hosted on Forge. I don't know if he is actively developing the port at the moment.

aserdaten
Joomla! Apprentice
Joomla! Apprentice
Posts: 6
Joined: Wed Aug 02, 2006 10:01 pm

Re: [ABANDONED] Mambo MGM Component File Inclusion Vulnerability

Postby aserdaten » Thu Aug 03, 2006 12:03 pm

Thank you, Tonie.

User avatar
iainshaw
Joomla! Explorer
Joomla! Explorer
Posts: 374
Joined: Thu Aug 18, 2005 6:32 am
Location: Yorkshire, UK
Contact:

Re: [ABANDONED] Mambo MGM Component File Inclusion Vulnerability

Postby iainshaw » Sat Aug 12, 2006 7:43 pm

So did anyone identify if 0.96 is affected>  Elpie, why the rather short response to the original poster.  Renaming a piece of code doesn't make it a new piece of code.
http://www.brilliantliving.co.uk - Smart Home technology and lighting design powered by Joomla!

User avatar
Elpie
Joomla! Guru
Joomla! Guru
Posts: 903
Joined: Wed Aug 17, 2005 11:26 pm
Contact:

Re: [ABANDONED] Mambo MGM Component File Inclusion Vulnerability

Postby Elpie » Sun Aug 13, 2006 2:36 am

iainshaw wrote:So did anyone identify if 0.96 is affected>  Elpie, why the rather short response to the original poster.  Renaming a piece of code doesn't make it a new piece of code.


Ian, the topic of this thread is the Mambo MGM Component. It is clearly about vulnerabilities in the now-abandoned Mambo script and relates to  versions 0.95r2 and 0.95r3. At time of writing, I stated that the Mambo script had not been updated in over a year. The poster who raised the issue of whether Joomla Gallery Manager was also affected clearly did not read the original post in this thread but chose instead to say that he doubted the accuracy of my report. I merely emphasised that the thread topic is about the Mambo component. 
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: [ABANDONED] Mambo MGM Component File Inclusion Vulnerability

Postby Tonie » Sun Aug 13, 2006 7:18 am

A followup on the Joomla version. There has been one release of the Joomla version, looking at the description it is a port only. As stated before, I sent an email to the developer. I haven't received anything back in ten days now. The Joomla version of MGM has therefore been set to "project member access only".

User avatar
iainshaw
Joomla! Explorer
Joomla! Explorer
Posts: 374
Joined: Thu Aug 18, 2005 6:32 am
Location: Yorkshire, UK
Contact:

Re: [ABANDONED] Mambo MGM Component File Inclusion Vulnerability

Postby iainshaw » Sun Aug 13, 2006 7:48 am

Elpie, I think you're doing great work here.  And my reply was rather lazy.  I've had a look at MGM 0.96 RC1 and I'd say it has the same vulnerability.  Damn!
http://www.brilliantliving.co.uk - Smart Home technology and lighting design powered by Joomla!

User avatar
ganar
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 103
Joined: Mon Aug 22, 2005 10:19 pm
Contact:

Re: [ABANDONED] Mambo MGM Component File Inclusion Vulnerability

Postby ganar » Tue Sep 19, 2006 9:48 pm

Too bad... MGM is great, it does things that no other component does... It looks like the solution to the problem is quite easy

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: [ABANDONED] Mambo MGM Component File Inclusion Vulnerability

Postby Tonie » Wed Sep 20, 2006 5:40 am

The security issues in question have been fixed, the project is also visible again here: http://forge.joomla.org/sf/frs/do/viewS ... anager/frs

User avatar
ganar
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 103
Joined: Mon Aug 22, 2005 10:19 pm
Contact:

Re: [ABANDONED] Mambo MGM Component File Inclusion Vulnerability

Postby ganar » Wed Sep 20, 2006 1:27 pm

Thanks a lot for the information Tonie, I really appreciate to be able to continue using MGM

User avatar
Tonie
Joomla! Master
Joomla! Master
Posts: 16584
Joined: Thu Aug 18, 2005 7:13 am

Re: [ABANDONED] Mambo MGM Component File Inclusion Vulnerability

Postby Tonie » Wed Sep 20, 2006 2:12 pm

Will change the title of the topic to reflect this.

User avatar
ilox
Joomla! Explorer
Joomla! Explorer
Posts: 441
Joined: Thu Aug 25, 2005 3:29 pm
Location: Adelaide, South Australia
Contact:

Re: [ABANDONED] Mambo MGM Vulnerability --> Joomla fork with fixes available

Postby ilox » Sat Sep 23, 2006 6:40 am

Tonie wrote:The security issues in question have been fixed, the project is also visible again here: http://forge.joomla.org/sf/frs/do/viewS ... anager/frs

Umm, System message says:
http://forge.joomla.org/sf/frs/do/selectReleases/projects.mgm_joomla_gallery_manager/frs.mgm_security_patch
The page you requested cannot be found.


I really liked the way this Gallery worked so if it is now safe to use that would be great. I really don't want to have to learn another Gallery unless it is just a simple to set up and get working as this one was.
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life

User avatar
konczal
Joomla! Enthusiast
Joomla! Enthusiast
Posts: 221
Joined: Mon Mar 13, 2006 9:35 pm
Location: New Jersey, US

Re: [ABANDONED] Mambo MGM Vulnerability --> Joomla fork with fix

Postby konczal » Thu Mar 27, 2008 2:06 pm

MGM is back in action - they released a patch in December 2007, MGM v0.96 patch level 2:

http://www.macinhouse.com/mgm/component ... /Itemid,1/

-Eddie


Return to “3rd Party/Non Joomla! Security Issues”

Who is online

Users browsing this forum: No registered users and 2 guests