Mambo has recently been hit with an exploit that seems to take advantage of a PHP bug in conjunction with some particular code in the Mambo system. If any of you are running Mambo systems, patch them now!

Links with info:

Technical details of the bug in PHP and consequences:
http://www.hardened-php.net/index.76.html

Discussion of the impacts of this in general, including some interesting example code:
http://www.sitepoint.com/forums/showthread.php?t=312884

A discussion on some Mambo forums about a fix for the problem:
http://forum.mamboserver.com/showthread.php?t=65917

A post on seclists.org about the nature of the vulnerability in Mambo:
http://seclists.org/lists/fulldisclosure/2005/Nov/0528.html

-----------------------------------------------------------

It appears that the problem is not with Mambo per se, but is a problem in PHP itself, which is exploitable because of certain facts about how the Mambo system deals with global variables. This is a serious problem since it allows an attacker to execute arbitrary PHP code on the compromised server, and/or upload files.

My reading of the above information suggests to me that there may be an issue with XOOPS, if XOOPS is handling globals in any way at all similar to what Mambo is doing. The problem seems to come when you directly access global variables in the main scope, and/or overwrite them in certain ways, and/or put in hacks to get around register_globals being turned off.

I do not think XOOPS 2.0.x is doing such things, but I am not as familiar with the code as others, and so I would really like a second opinion on that. I would also like some confirmation of exactly when this PHP bug becomes a problem, since even if XOOPS is not doing the same things as Mambo, perhaps it is still vulnerable due to other reasons. There are some good opinions about when code may be vulnerable in the second link above.

I do not know the 2.2.x code at all, so I cannot comment there.

Any insights greatly appreciated.

--Julian

Bump!

This is a serious issue since, if present, it will allow execution of arbitrary PHP code. Does no one out there with technical knowledge of the code base have anything to say?

As I said above, my estimation is that XOOPS is not affected. But no one should take my word for it.

Thanks,

--Julian

I glanced at a couple of the linked articles. It looks like the old familiar issue of allowing user input to populate global variables, either by having register_globals on, or by emulating that behavior. This violates the first law of web programming: Never trust user input.

I don't think the XOOPS core is vulnerable to this, at least in the newest versions, but I'm sure that some modules are vulnerable.

That is part of it. But there is a bug in PHP in how it handles the $GLOBALS "super-global" array as well. The first link goes into some detail on this, and the second link has some interesting example code.

I agree, the XOOPS core does not, as far as I know, mistreat globals. The hard-to-decipher part here seems to be that depending on how code is written, there may still be a problem, even with register_globals off, and no "faking" of the register globals functionality in the code.

Yikes!

--Julian