Date: Mon, 28 Nov 2005 10:57:17 GMT From: Francisco Alves Cabrita <include@npf.deec.uc.pt> To: freebsd-gnats-submit@FreeBSD.org Subject: ports/89665: [Security Update]: www/mambo Message-ID: <200511281057.jASAvHLZ014605@www.freebsd.org> Resent-Message-ID: <200511281100.jASB0Hwg086900@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 89665 >Category: ports >Synopsis: [Security Update]: www/mambo >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Mon Nov 28 11:00:16 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Francisco Alves Cabrita >Release: FreeBSD 6.0-STABLE >Organization: Núcleo Português de FreeBSD >Environment: FreeBSD fac.e10.pt 6.0-STABLE FreeBSD 6.0-STABLE #0: Fri Nov 25 16:42:45 WET 2005 fac@fac.e10.pt:/usr/obj/usr/src/sys/MOBILE i386 >Description: There has been a spate of attacks on Mambo sites in the last few days. These have been serious, in that they involved running arbitrary PHP code in the site attacked. This means that the security of information may have been compromised, and back door code may have been installed. Anyone who has been attacked should take great care to ensure that their site has been thoroughly restored to a safe condition. If advice is needed, please post in the Mambo forums. http://www.mamboserver.com/index.php?option=com_content&task=view&id=172&Itemid=1 >How-To-Repeat: >Fix: This patch, blocks exploits that attempt to set a value for the global used to indicate where code is to be loaded. By doing this, the exploits allow arbitrary code to be loaded from a web site under the hacker's control. Mafile EXTRACT_DEPENDS= unzip:${PORTSDIR}/archivers/unzip NO_BUILD= yes USE_MYSQL= yes USE_PHP= mysql session zlib gd pdf xml pcre WANT_PHP_WEB= yes PKGMESSAGE= ${WRKDIR}/pkg-message SUB_FILES= pkg-message SUB_LIST+= MAMBO_DIR=${MAMBO_DIR} PLIST_SUB+= MAMBO_DIR=${MAMBO_DIR} MAMBO_DIR?= www/${PORTNAME} DIST_SUBDIR= ${PORTNAME} MAMBO_SRC= MamboV4.5.3-stable.tar.gz MAMBO_PATCH1= Mambo4523.security_fix.zip do-extract: @${MKDIR} ${WRKSRC} @${TAR} -zxf ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_SRC} -C ${WRKSRC} @${UNZIP_CMD} -qo ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_PATCH1} -d ${WRKSRC} @${RM} -rf ${WRKSRC}/templates/rhuk_solarflare # remove empty do-install: @${MKDIR} ${PREFIX}/${MAMBO_DIR} @cd ${WRKSRC} && \ ${FIND} . -type d -exec ${MKDIR} ${PREFIX}/${MAMBO_DIR}/{} \; \ -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \; @cd ${WRKSRC} && \ ${FIND} . \! -type d -exec ${INSTALL_DATA} {} ${PREFIX}/${MAMBO_DIR}/{} \; \ -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \; post-install: @${CAT} ${PKGMESSAGE} .include <bsd.port.mk> distfinfo: EXTRACT_DEPENDS= unzip:${PORTSDIR}/archivers/unzip NO_BUILD= yes USE_MYSQL= yes USE_PHP= mysql session zlib gd pdf xml pcre WANT_PHP_WEB= yes PKGMESSAGE= ${WRKDIR}/pkg-message SUB_FILES= pkg-message SUB_LIST+= MAMBO_DIR=${MAMBO_DIR} PLIST_SUB+= MAMBO_DIR=${MAMBO_DIR} MAMBO_DIR?= www/${PORTNAME} DIST_SUBDIR= ${PORTNAME} MAMBO_SRC= MamboV4.5.3-stable.tar.gz MAMBO_PATCH1= Mambo4523.security_fix.zip do-extract: @${MKDIR} ${WRKSRC} @${TAR} -zxf ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_SRC} -C ${WRKSRC} @${UNZIP_CMD} -qo ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_PATCH1} -d ${WRKSRC} @${RM} -rf ${WRKSRC}/templates/rhuk_solarflare # remove empty do-install: @${MKDIR} ${PREFIX}/${MAMBO_DIR} @cd ${WRKSRC} && \ ${FIND} . -type d -exec ${MKDIR} ${PREFIX}/${MAMBO_DIR}/{} \; \ -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \; @cd ${WRKSRC} && \ ${FIND} . \! -type d -exec ${INSTALL_DATA} {} ${PREFIX}/${MAMBO_DIR}/{} \; \ -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \; post-install: @${CAT} ${PKGMESSAGE} .include <bsd.port.mk> pkg-plist: EXTRACT_DEPENDS= unzip:${PORTSDIR}/archivers/unzip NO_BUILD= yes USE_MYSQL= yes USE_PHP= mysql session zlib gd pdf xml pcre WANT_PHP_WEB= yes PKGMESSAGE= ${WRKDIR}/pkg-message SUB_FILES= pkg-message SUB_LIST+= MAMBO_DIR=${MAMBO_DIR} PLIST_SUB+= MAMBO_DIR=${MAMBO_DIR} MAMBO_DIR?= www/${PORTNAME} DIST_SUBDIR= ${PORTNAME} MAMBO_SRC= MamboV4.5.3-stable.tar.gz MAMBO_PATCH1= Mambo4523.security_fix.zip do-extract: @${MKDIR} ${WRKSRC} @${TAR} -zxf ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_SRC} -C ${WRKSRC} @${UNZIP_CMD} -qo ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_PATCH1} -d ${WRKSRC} @${RM} -rf ${WRKSRC}/templates/rhuk_solarflare # remove empty do-install: @${MKDIR} ${PREFIX}/${MAMBO_DIR} @cd ${WRKSRC} && \ ${FIND} . -type d -exec ${MKDIR} ${PREFIX}/${MAMBO_DIR}/{} \; \ -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \; @cd ${WRKSRC} && \ ${FIND} . \! -type d -exec ${INSTALL_DATA} {} ${PREFIX}/${MAMBO_DIR}/{} \; \ -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \; post-install: @${CAT} ${PKGMESSAGE} .include <bsd.port.mk> Thanks in advance Francisco Alves Cabrita >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200511281057.jASAvHLZ014605>