=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN550
_____________________________________________________________________

DATE                      : 28/12/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Mambo.

======================================================================
http://source.mambo-foundation.org/content/view/134/1/
______________________________________________________________________

Mambo 4.6.3 Released!  	
Written by Nicolas Steenhout
Dec 24, 2007 at 05:11 AM

Team Mambo announces the release of Mambo 4.6.3!

Code name "Dylan", this minor version release features a number of 
security improvements and bug fixes.

These include:

     * Stability & security improvements
     * Performance improvements
     * A number of bug fixes
     * Improved compatibility with 3rd party extensions
     * Updates to some core extensions

What's New in 4.6.3...

Security Fixes:

*php mailer security fix.
*template chooser security fixes
*XSS fixes in administrator backed
*sample configuration file renamed to configuration.sample.php

Bug Fixes:

*fixed banner manager custom-code bugs
*fixed mambo admin template install problem
*fixed special vs. registered users menu access related problems
*fixed login component redirection
*fixed line breaks in emails in Mambo
*fixed missing links in pathway
*fixed problems with module ordering affecting menus
*fixed an xml parser problem in the installer
*fixed section module problems related to Itemid.
*fixed content editing resulting in overriding the article creator
*fixed incorrect escaping of weblinks' titles, description

Enhancements:

*mostlyce upgraded to 2.4
*mostlydbadmin upgraded to 1.5
*geshi upgraded to 1.0.7.20
*enhanced editor initializing
*enhanced weblinks component, so the target param is not confusing anymore
*updated the sample data so Mambo links will be up-to-date with the 
recent Mambo sites changes
*Some XHTML compliance work
*added option to block the blocked users in the mass email
*added mosshowhead and some helper classes to select/exclude head tags
*added module buffering
*added the ability to delete superadmins
*added search feature in language manager
*added onAfterStart mambot trigger
*compressed js and css files for improved performance

Mambo 4.6.3, including upgrade files, can be found on the Mambo Code 
forge here: http://mambo-code.org/gf/project/mambo/frs/

Because Mambo 4.6.3 is a security and maintenance release we advise 
everyone using Mambo 4.6 - 4.6.2 to upgrade. If you are not running 
Mambo 4.6.2 then you should patch up to this version prior to applying 
this new patch. Upgrade instructions are provided in the patch download 
- please read the instructions!

Note about Mambo Security.

Each of the security fixes relates to vulnerabilities that have the
potential for exploit. There have been no known cases of them actually
being exploited and most relate to backend/administrator security
weaknesses that would first require someone to be logged into the
backend.

A Secunia advisory reported a "proof of concept" regarding two potential
security flaws in 4.6.2 (http://secunia.com/advisories/28133/). Only one
of the reported flaws had any potential to insert code and even then, 
the code could not be executed. The result of extensive testing showed 
that where a user was using an unpatched version of IE6 it was possible 
to enter raw text into one form in Mambo 4.6.2. While this would not 
compromise a site because the script could not actually run, the 
vulnerabilities in IE6 could result in a small amount of unwanted text 
appearing below a form.

While this flaw was really a browser flaw (that has been fixed in recent
updates to IE6) we blocked the hole that allowed unauthorised text to be 
inserted.

The Secunia advisory does not relate to Mambo 4.5.5.

While the 4.6.2 security vulnerabilities are low level, we prefer
everyone to be running sites that have a high level of protection and
the bug fixes, feature and performance improvements make this a very
worthwhile upgrade.
Last Updated ( Dec 24, 2007 at 05:14 AM )

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================