The Joomla! Forum ™





Post new topic Reply to topic  [ 19 posts ] 
Author Message
PostPosted: Mon Jul 31, 2006 2:46 pm 
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 10:40 pm
Posts: 466
Location: las vegas USA
TITLE:
Mambo MGM Component File Inclusion Vulnerability

SECUNIA ADVISORY ID:
SA21268

VERIFY ADVISORY:
http://secunia.com/advisories/21268/

CRITICAL:
Highly critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
MGM 0.x (component for Mambo)
http://secunia.com/product/11201/

DESCRIPTION:
A-S-T TEAM has discovered a vulnerability in the MGM component for
Mambo, which can be exploited by malicious people to compromise a
vulnerable system.

Input passed to the "mosConfig_absolute_path" parameter in
administrator/components/com_mgm/help.mgm.php is not properly
verified before being used to include files. This can be exploited to
execute arbitrary PHP code by including files from local or external
resources.

Successful exploitation requires that "register_globals" is enabled.

The vulnerability has been confirmed in version 0.95r2 and reported
in version 0.95r3. Other versions may also be affected.

SOLUTION:
Edit the source code to ensure that input is properly verified.

Set "register_globals" to "Off".

PROVIDED AND/OR DISCOVERED BY:
A-S-T TEAM

ORIGINAL ADVISORY:
http://milw0rm.com/exploits/2084

_________________
joomla 1.6 Türk destek sitesi http://www.joomlaturk.net/


Last edited by Tonie on Wed Sep 20, 2006 2:13 pm, edited 1 time in total.

Top
 Profile  
 
 Post subject: Mambo Gallery Manager
PostPosted: Tue Aug 01, 2006 12:13 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
com_mgm is Mambo Gallery Manager. It appears to have been abandoned over a year ago so if anyone is using it I recommend you delete it completely and find something else that is under active development.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
PostPosted: Tue Aug 01, 2006 5:16 am 
User avatar
Joomla! Ace
Joomla! Ace

Joined: Mon Dec 05, 2005 10:17 am
Posts: 1367
Location: New Orleans, LA, USA
Thanks for the information, adding to the official list.

_________________
Rob Schley - Open Source Matters
Webimagery - http://www.webimagery.net/ - Professional Consulting Services
JXtended - http://www.jxtended.com/ - Free and Commercial Joomla! Extensions


Top
 Profile  
 
PostPosted: Wed Aug 02, 2006 10:05 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Aug 02, 2006 10:01 pm
Posts: 6
Elpie wrote:
com_mgm is Mambo Gallery Manager. It appears to have been abandoned over a year ago so if anyone is using it I recommend you delete it completely and find something else that is under active development.


I'm not sure this is accurate.  There's a version 0.96 out there renamed Joomla Gallery Manager.  I can't speak to the security status though - anyone know for sure?


Top
 Profile  
 
PostPosted: Thu Aug 03, 2006 12:59 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
aserdaten wrote:
I'm not sure this is accurate.  There's a version 0.96 out there renamed Joomla Gallery Manager.  I can't speak to the security status though - anyone know for sure?


The one that has had exploits so far has been Mambo Gallery Manager, specifically in version 0.95r2.
Mambo Gallery Manager is an abandoned project. 

If you really do doubt the accuracy of my report all you have to do is go to security sites yourself to confirm it. mamboturk has given you links to two of them ;)

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
PostPosted: Thu Aug 03, 2006 2:58 am 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Aug 02, 2006 10:01 pm
Posts: 6
Elpie wrote:
aserdaten wrote:
I'm not sure this is accurate.  There's a version 0.96 out there renamed Joomla Gallery Manager.  I can't speak to the security status though - anyone know for sure?


The one that has had exploits so far has been Mambo Gallery Manager, specifically in version 0.95r2.
Mambo Gallery Manager is an abandoned project. 

If you really do doubt the accuracy of my report all you have to do is go to security sites yourself to confirm it. mamboturk has given you links to two of them ;)



In the interests of being polite perhaps I was insufficiently direct.  The inaccuracy, or at least incomplete accuracy, of your report is not in question.  There is a release numbered 0.96 RC1, called "Joomla Gallery Manager", and that release came out less than a year ago, in October.  A user named Macinhouse picked up development where Marco Antonio Regueira left off.  There is still an active message board thread about it here.

The question I have is whether or not the 0.96 RC1 release suffers from the same vulnerability as the earlier versions.  My guess is that it does suffer from that vulnerability, but I was hoping for an answer from someone actually familiar with 0.96 RC1.  With all due respect, you are obviously not that person.

So if anyone has a serious and knowledgeable response to my question, I would be very grateful to hear it.


Top
 Profile  
 
PostPosted: Thu Aug 03, 2006 6:59 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
Why are you asking about a different product in this thread? If you have concerns about another 3PD script, the best place to ask is in the thread for that script or directly to the developer concerned.

Whether I am familiar with the Joomla component or not is not the topic of this thread which is about the MAMBO GALLERY MANAGER.

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
PostPosted: Thu Aug 03, 2006 7:11 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Thu Aug 18, 2005 7:13 am
Posts: 16548
I have already sent an email to the developer of the Joomla port about the security issue in question, since it is hosted on Forge. I don't know if he is actively developing the port at the moment.

_________________
Joomla forum global moderator.

Have fun


Top
 Profile  
 
PostPosted: Thu Aug 03, 2006 12:03 pm 
Joomla! Apprentice
Joomla! Apprentice

Joined: Wed Aug 02, 2006 10:01 pm
Posts: 6
Thank you, Tonie.


Top
 Profile  
 
PostPosted: Sat Aug 12, 2006 7:43 pm 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 6:32 am
Posts: 374
Location: Yorkshire, UK
So did anyone identify if 0.96 is affected>  Elpie, why the rather short response to the original poster.  Renaming a piece of code doesn't make it a new piece of code.

_________________
http://www.brilliantliving.co.uk - Smart Home technology and lighting design powered by Joomla!


Top
 Profile  
 
PostPosted: Sun Aug 13, 2006 2:36 am 
User avatar
Joomla! Guru
Joomla! Guru

Joined: Wed Aug 17, 2005 11:26 pm
Posts: 903
iainshaw wrote:
So did anyone identify if 0.96 is affected>  Elpie, why the rather short response to the original poster.  Renaming a piece of code doesn't make it a new piece of code.


Ian, the topic of this thread is the Mambo MGM Component. It is clearly about vulnerabilities in the now-abandoned Mambo script and relates to  versions 0.95r2 and 0.95r3. At time of writing, I stated that the Mambo script had not been updated in over a year. The poster who raised the issue of whether Joomla Gallery Manager was also affected clearly did not read the original post in this thread but chose instead to say that he doubted the accuracy of my report. I merely emphasised that the thread topic is about the Mambo component. 

_________________
For Mambo assistance: http://forum.mambo-foundation.org
Open Source Research & Best Practice: http://osprojects.info


Top
 Profile  
 
PostPosted: Sun Aug 13, 2006 7:18 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Thu Aug 18, 2005 7:13 am
Posts: 16548
A followup on the Joomla version. There has been one release of the Joomla version, looking at the description it is a port only. As stated before, I sent an email to the developer. I haven't received anything back in ten days now. The Joomla version of MGM has therefore been set to "project member access only".

_________________
Joomla forum global moderator.

Have fun


Top
 Profile  
 
PostPosted: Sun Aug 13, 2006 7:48 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 18, 2005 6:32 am
Posts: 374
Location: Yorkshire, UK
Elpie, I think you're doing great work here.  And my reply was rather lazy.  I've had a look at MGM 0.96 RC1 and I'd say it has the same vulnerability.  Damn!

_________________
http://www.brilliantliving.co.uk - Smart Home technology and lighting design powered by Joomla!


Top
 Profile  
 
PostPosted: Tue Sep 19, 2006 9:48 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Mon Aug 22, 2005 10:19 pm
Posts: 103
Too bad... MGM is great, it does things that no other component does... It looks like the solution to the problem is quite easy


Top
 Profile  
 
PostPosted: Wed Sep 20, 2006 5:40 am 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Thu Aug 18, 2005 7:13 am
Posts: 16548
The security issues in question have been fixed, the project is also visible again here: http://forge.joomla.org/sf/frs/do/viewS ... anager/frs

_________________
Joomla forum global moderator.

Have fun


Top
 Profile  
 
PostPosted: Wed Sep 20, 2006 1:27 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Mon Aug 22, 2005 10:19 pm
Posts: 103
Thanks a lot for the information Tonie, I really appreciate to be able to continue using MGM


Top
 Profile  
 
PostPosted: Wed Sep 20, 2006 2:12 pm 
User avatar
Joomla! Master
Joomla! Master
Online

Joined: Thu Aug 18, 2005 7:13 am
Posts: 16548
Will change the title of the topic to reflect this.

_________________
Joomla forum global moderator.

Have fun


Top
 Profile  
 
PostPosted: Sat Sep 23, 2006 6:40 am 
User avatar
Joomla! Explorer
Joomla! Explorer

Joined: Thu Aug 25, 2005 3:29 pm
Posts: 438
Location: Adelaide, South Australia
Tonie wrote:
The security issues in question have been fixed, the project is also visible again here: http://forge.joomla.org/sf/frs/do/viewS ... anager/frs

Umm, System message says:
Quote:
http://forge.joomla.org/sf/frs/do/selectReleases/projects.mgm_joomla_gallery_manager/frs.mgm_security_patch
The page you requested cannot be found.


I really liked the way this Gallery worked so if it is now safe to use that would be great. I really don't want to have to learn another Gallery unless it is just a simple to set up and get working as this one was.

_________________
Cheers, Ian
"Always remember. Love is the purest feeling, the wisest thought and the strongest reason. Always!"
by Sea-Life
Do Not PM me looking for Help! Un-requested Help PM's will be Deleted Unread, and your ID added to my Ignore List


Top
 Profile  
 
PostPosted: Thu Mar 27, 2008 2:06 pm 
User avatar
Joomla! Enthusiast
Joomla! Enthusiast

Joined: Mon Mar 13, 2006 9:35 pm
Posts: 192
Location: New Jersey, US
MGM is back in action - they released a patch in December 2007, MGM v0.96 patch level 2:

http://www.macinhouse.com/mgm/component ... /Itemid,1/

-Eddie


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 19 posts ] 



Who is online

Users browsing this forum: No registered users and 4 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group