Date: 16 January 2008
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AA-2008.0010 AUSCERT Advisory
[Win][UNIX/Linux]
Denial of Service (Dos) vulnerability reported in Mambo
16 January 2008
- ---------------------------------------------------------------------------
AusCERT Advisory Summary
------------------------
Product: Mambo
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact: Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2008-0261
Member content until: Wednesday, February 13 2008
OVERVIEW:
A vulnerability has been reported in Mambo that if successfully
exploited can result in a remotely executed denial of service
(DoS).
IMPACT:
Mambo released the following information regarding this
vulnerability:
"Team Mambo was alerted to a security vulnerability in the search
component and module that generates a large number of queries if
certain strings are input. This creates a major impact on the
server's available resources and can lead to the site going down.
While we intend to have two new releases out within this next week,
the search vulnerability is of enough concern that we have just
released a patch. This vulnerability affects all versions of Mambo.
It may also affect other CMS that are based on the Mambo code." [1]
MITIGATION:
For users of version 4.5.5 the patch is available at:
http://mambo-code.org/gf/download/frsrelease/298/542/20080110-Mambo45x -SearchPatch.zip
For users of version 4.6 the patch is available at:
http://mambo-code.org/gf/download/frsrelease/298/544/20080110-Mambo46x -SearchPatch.zip
REFERENCES:
[1] Mambo CMS Forum
http://forum.mambo-foundation.org/showthread.php?t=9651
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBR42BXyh9+71yA2DNAQJgogP/Qz626bLKnL5wvI9xCo5KJLqHKK8FKojn
N2fF4Vrnti0kntg/MIWhp70pWlp1myQarls1HF2luYO/bJkgQ6EglBNheBJTl2zM
y1YgEe4KZ6geiBsrBVsM0BHIq+pnCSjXrKydv+pPtifRrtYuW5wvgSFyxmKSXAUp
yk5zgVdfiiM=
=mK8F
-----END PGP SIGNATURE-----
|