Please upgrade your sites to Mambo 4.6.4

Elpie · 24-05-2008, 02:40 PM

Mambo 4.6.4 has been released. You can read the forum announcement here: http://forum.mambo-foundation.org/sh...ad.php?p=62251 and the full announcement on The Source, here: http://source.mambo-foundation.org/content/view/141/1/

This is an important security and maintenance upgrade.

Three serious security vulnerabilities have been fixed in Mambo 4.6.4. All users of Mambo 4.6.+ are urged to upgrade as soon as possible.

While there have been no reports of exploits at this time, the potential for exploits is high. The security risks in earlier versions of Mambo have been identified as follows:

1.SQL Injection
============
There is potential for SQL injection. Successful exploitation requires that "magic_quotes_gpc" is disabled.

2. CRLF injection/HTTP response splitting
===============================
Risk of insertion of data into headers through a remote attack.

3. Cross-Site Scripting Vulnerability in MOStlyCE <=3.0
=========================================
The Mambo Team released MOStlyCE 3.0 as an independent upgrade some time ago following the discovery of multiple vulnerabilities. Mambo 4.6.4 includes MOStlyCE 3.05. If you are not running MOStlyCE 3.05 already, then you will need to ensure that your editor is upgraded.

Users of Mambo Lite who have installed optional core extensions will need to ensure they update the following extensions:

com_comment
com_poll
com_weblinks
com_banners
bot_moscomment
mod_latestcontent
mod_poll
mod_random_image
mod_templatechooser

Mambo 4.6.4 Complete, Mambo 4.6.4 Lite, and the optional core extensions are all available to download from the Mambo Code Forge here: http://mambo-code.org/gf/project/mambo/frs/

24-05-2008, 02:40 PM	#1
Elpie Mambo Guru Forum Admin Join Date: Jul 2006 Location: New Zealand Posts: 10,004	Please upgrade your sites to Mambo 4.6.4 Mambo 4.6.4 has been released. You can read the forum announcement here: http://forum.mambo-foundation.org/sh...ad.php?p=62251 and the full announcement on The Source, here: http://source.mambo-foundation.org/content/view/141/1/ This is an important security and maintenance upgrade. Three serious security vulnerabilities have been fixed in Mambo 4.6.4. All users of Mambo 4.6.+ are urged to upgrade as soon as possible. While there have been no reports of exploits at this time, the potential for exploits is high. The security risks in earlier versions of Mambo have been identified as follows: 1.SQL Injection ============ There is potential for SQL injection. Successful exploitation requires that "magic_quotes_gpc" is disabled. 2. CRLF injection/HTTP response splitting =============================== Risk of insertion of data into headers through a remote attack. 3. Cross-Site Scripting Vulnerability in MOStlyCE <=3.0 ========================================= The Mambo Team released MOStlyCE 3.0 as an independent upgrade some time ago following the discovery of multiple vulnerabilities. Mambo 4.6.4 includes MOStlyCE 3.05. If you are not running MOStlyCE 3.05 already, then you will need to ensure that your editor is upgraded. Users of Mambo Lite who have installed optional core extensions will need to ensure they update the following extensions: com_comment com_poll com_weblinks com_banners bot_moscomment mod_latestcontent mod_poll mod_random_image mod_templatechooser Mambo 4.6.4 Complete, Mambo 4.6.4 Lite, and the optional core extensions are all available to download from the Mambo Code Forge here: http://mambo-code.org/gf/project/mambo/frs/ __________________ Mambo Tutorials on:http://lynnepope.net/topics/mambo-tutorials Mambo wiki: http://mambo-manual.org/ Follow me: http://twitter.com/elpie

New To Site?	Need Help?
What is Mambo? Forum Rules Register to Participate View Forum Leaders Frequently Asked Questions	Help Us to Help You - Donate Did you forget your password? Mark Forums Read Privacy Statement Contact Us