| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Sat, 05 Nov 2005 15:52:27 +0300 From: Vasiliy <security@...ol.ru> To: bugtraq@...urityfocus.com Subject: Re: Mambo Open Source, Path disclosure alireza hassani wrote: > Demonstration URL : > -------------------- > http://www.example.com/mambo/index.php?option=com_content&task=section&id=1&Itemid=PATH I've just tried this on one of my "vulnerable" Mambo installations and got nothing, but the blank screen. I wonder why this happened?.. Could it be because of displaying php errors turned off as it should be done in any production environment? > Solution: > -------------------- > There is no vendor-supplied patch for this issue at > this time but we are not advising you to upgrade to > Joomla because Mambo, version 4.5.3, will be released > soon ( by the end of November this year). > 4.5.3 represents the new Team’s first consolidation > of bug fixes and includes a number of security > enhancements. Isn't this "solution" somewhat overcomplicated? If someone wants to workaround this bug, it's not necessary to upgrade. It would be enough just to follow basic security principles. -- wbr, Vasiliy
Powered by blists - more mailing lists