Bug 100044

Summary: [maintainer-update] www/mambo Security Update. Affect ALL Previous versions!
Product: Ports & Packages Reporter: Francisco Alves Cabrita <include>
Component: Individual Port(s)Assignee: Ion-Mihai "IOnut" Tetcu <itetcu>
Status: Closed FIXED    
Severity: Affects Only Me    
Priority: Normal    
Version: Latest   
Hardware: Any   
OS: Any   
Attachments:
Description Flags
file.diff none

Description Francisco Alves Cabrita 2006-07-11 01:20:17 UTC 
The Team Mambo reports that two SQL injection vulnerabilities have been found in Mambo. The vulnerabilities exists due to missing sanitation of the title and catid parameters in the weblinks.php page and can lead to execution of arbitrary SQL code.

http://www.vuxml.org/freebsd/f70d09cb-0c46-11db-aac7-000c6ec775d9.html

Fix: Note that in vuxml entry the mambo security report is listed as 0 < mambo. I don't know if this is correct but I think this tag needs to be corrected to 4.5.4_1 else no version of Mambo can be installed. I did all the updating suff (diff and so on) installing it via "DISABLE_VULNERABILITIES=yes", just to test the right installation of it.


Thanks in advance.
Francisco Alves Cabrita
Comment 1 Mark Linimon freebsd_committer freebsd_triage 2006-07-11 05:23:34 UTC 
Class Changed
From-To: update->maintainer-update

Make this a ports PR and fix up the fields.  Ports in the ports/www/ tree 
really do belong in the 'ports' GNATS category.  Only problems with the 
FreeBSD website itself belong in 'www'.
Comment 2 Mark Linimon freebsd_committer freebsd_triage 2006-07-11 05:23:34 UTC 
Responsible Changed
From-To: freebsd-www->freebsd-ports
Comment 3 Ion-Mihai "IOnut" Tetcu freebsd_committer freebsd_triage 2006-07-11 10:29:26 UTC 
Responsible Changed
From-To: freebsd-ports->itetcu

I'll take it.
Comment 4 Ion-Mihai "IOnut" Tetcu freebsd_committer freebsd_triage 2006-07-11 10:32:40 UTC 
State Changed
From-To: open->feedback

Why did you drop MAMBO_DIR user-customization support ?
Comment 5 Ion-Mihai "IOnut" Tetcu freebsd_committer freebsd_triage 2006-07-11 11:15:32 UTC 
State Changed
From-To: feedback->closed

Commited with fixes: when PORTVERSION increases PORTREVISION should be 
reseted.