Security patches for Mambo

[counterpoint]

Although Mare.D reports all over the internet look to be based on nothing at all, there is a new security hole that has been discovered by GulfTech Research and Development and blocked by the development team. You can find the Secunia report at http://secunia.com/advisories/18935/. Please note that there are no unpatched vulnerabilities listed at Secunia or elsewhere.

There are fixes for Mambo 4.5.3 and 4.5.3h. The original upload by the Core Development Team was to the Mambo Foundation's site, with security fixes to be found at: http://source.mambo-foundation.org/R...urity_Updates/. The fix contains two replacement files.

You are advised to apply these fixes immediately. If you have an earlier version of Mambo or do not wish to apply whole modules because you have customised your Mambo, then please refer to the detailed description of the changes given below (the first three apply to /includes/mambo.php):

1) The login function: added the last of the lines below -

PHP Code:

if (!$username || !$passwd) {
echo "<script> alert(\""._LOGIN_INCOMPLETE."\"); window.history.go(-1); </script>\n";
exit();
}else {
$username = $this->_db->getEscaped($username); 


2) Modified mosMenuCheck to include a call to getEscaped -

PHP Code:

if ($task!="") {
$task = $database->getEscaped($task);
$dblink.="&task=$task";
}
$database->setQuery( "SELECT access FROM #__menu WHERE link like '$dblink%'" ); 


3) Modified _setTemplate with additional checks on the variable used within a path -

PHP Code:

$mos_change_template = mosGetParam( $_REQUEST, 'mos_change_template', $mos_user_template );
if ($mos_change_template AND strpos($mos_change_template,'..') == false AND strpos($mos_change_template,':') == false) { 


4) Modified content.php to tidy up a bit and make a call to getEscaped on the $filter variable -

PHP Code:

$and = '';
if ($filter = mosGetParam( $_POST, 'filter', '' )) {
$filter = strtolower( $filter );
$filter = $database->getEscaped($filter);
if ( $params->get( 'filter' ) ) {