Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities

From: YGN Ethical Hacker Group <lists@xxxxxxxx>
Date: Tue, 28 Jun 2011 11:04:46 +0800

Did you really test a code base that is a version of an old Joomla base

or did you look at the code, and test old Joomla bugs against it?

No

The XSS results are from purely blackbox scan on Mambo 4.6.5.

Joomla (Joomla! 1.0.0) was released on September 16, 2005. It was a
re-branded release of Mambo 4.5.2.3 which, itself, was combined with
other bug and moderate-level security fixes.

From that statement, it can be assumed that the code bases of Mambo

4.5.2.4 and higher are different from those of Joomla! 1.1 and
higher. As you can say so, we may sync old Joomla! 1.x bugs in Mambo
4.6.x. But it may be time-consuming to analyze the code changes and
validity of bugs in each version of both CMS.

https://secure.wikimedia.org/wikipedia/en/wiki/Joomla
http://www.joomla.org/announcements/general-news/154-introducing-joomla-10.html

I thought these were found in Joomla ages ago?

No.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities
  - From: Zach C.

References:
- [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities
  - From: YGN Ethical Hacker Group
- Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities
  - From: Jacqui Caren-home

Prev by Date: [Full-disclosure] Live mtgox.com trade matching bug.
Next by Date: [Full-disclosure] Joomla! 1.6.3 and lower | Multiple Cross Site Scripting (XSS) Vulnerabilities
Previous by thread: Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities
Next by thread: Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities
Index(es):
- Date
- Thread

Relevant Pages

Re: [Full-disclosure] Fwd: Rate Stratfors Incident Response
... I would also like to point out that "finding the bugs" is not the same as ... "fixing the bugs," and that for all the focus that is placed on finding ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
(Full-Disclosure)
Re: [Full-disclosure] List of Fuzzers
... The reason anyone writes a fuzzer is to find bugs. ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ...
(Full-Disclosure)
Re: "Am I still working okay?" asked the micro controller...
... >>was the program counter at the point where the check failed, ... The programmer who finds all of the inserted bugs and no ... That charter, if it is done right, seems like it ... >Guy Macon, Electronics Engineer & Project Manager for hire. ...
(comp.arch.embedded)
Re: [Full-disclosure] [CVE-2012-0207] Linux IGMP Remote Denial Of Service
... Sent from my iPhone ... Charter: http://lists.grok.org.uk/full-disclosure-charter.html ... Hosted and sponsored by Secunia - http://secunia.com/ ... there was the same bugs in those years but they would cause the ...
(Full-Disclosure)
RE: [Full-Disclosure] Re: Netscape Bug Bounty
... data compromise bugs were accepted for this program. ... >> Full-Disclosure - We believe in it. ... >> Charter: ... Do you Yahoo!? ...
(Full-Disclosure)