ports/89665: [Security Update]: www/mambo

Francisco Alves Cabrita include at npf.deec.uc.pt
Mon Nov 28 11:00:19 UTC 2005 

>Number:         89665
>Category:       ports
>Synopsis:       [Security Update]: www/mambo
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-ports-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          update
>Submitter-Id:   current-users
>Arrival-Date:   Mon Nov 28 11:00:16 GMT 2005
>Closed-Date:
>Last-Modified:
>Originator:     Francisco Alves Cabrita
>Release:        FreeBSD 6.0-STABLE
>Organization:
Núcleo Português de FreeBSD
>Environment:
FreeBSD fac.e10.pt 6.0-STABLE FreeBSD 6.0-STABLE #0: Fri Nov 25 16:42:45 WET 2005     fac at fac.e10.pt:/usr/obj/usr/src/sys/MOBILE  i386  
>Description:
There has been a spate of attacks on Mambo sites in the last few days. These have been serious, in that they involved running arbitrary PHP code in the site attacked. This means that the security of information may have been compromised, and back door code may have been installed. Anyone who has been attacked should take great care to ensure that their site has been thoroughly restored to a safe condition. If advice is needed, please post in the Mambo forums.
http://www.mamboserver.com/index.php?option=com_content&task=view&id=172&Itemid=1
>How-To-Repeat:
              
>Fix:
This patch, blocks exploits that attempt to set a value
for the global used to indicate where code is to be loaded.  By doing
this, the exploits allow arbitrary code to be loaded from a web site
under the hacker's control.  

Mafile
EXTRACT_DEPENDS=  unzip:${PORTSDIR}/archivers/unzip

NO_BUILD= yes
USE_MYSQL=  yes
USE_PHP=  mysql session zlib gd pdf xml pcre
WANT_PHP_WEB= yes
PKGMESSAGE= ${WRKDIR}/pkg-message
SUB_FILES=  pkg-message
SUB_LIST+=  MAMBO_DIR=${MAMBO_DIR}
PLIST_SUB+= MAMBO_DIR=${MAMBO_DIR}

MAMBO_DIR?= www/${PORTNAME}
DIST_SUBDIR=  ${PORTNAME}

MAMBO_SRC=  MamboV4.5.3-stable.tar.gz
MAMBO_PATCH1= Mambo4523.security_fix.zip

do-extract:
    @${MKDIR} ${WRKSRC}
    @${TAR} -zxf ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_SRC} -C ${WRKSRC}
    @${UNZIP_CMD} -qo ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_PATCH1} -d ${WRKSRC}
    @${RM} -rf ${WRKSRC}/templates/rhuk_solarflare # remove empty

do-install:
    @${MKDIR} ${PREFIX}/${MAMBO_DIR}
    @cd ${WRKSRC} && \
      ${FIND} . -type d -exec ${MKDIR} ${PREFIX}/${MAMBO_DIR}/{} \; \
        -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \;
    @cd ${WRKSRC} && \
      ${FIND} . \! -type d -exec ${INSTALL_DATA} {} ${PREFIX}/${MAMBO_DIR}/{} \; \
        -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \;

post-install:
    @${CAT} ${PKGMESSAGE}

.include <bsd.port.mk>


distfinfo:
EXTRACT_DEPENDS=  unzip:${PORTSDIR}/archivers/unzip

NO_BUILD= yes
USE_MYSQL=  yes
USE_PHP=  mysql session zlib gd pdf xml pcre
WANT_PHP_WEB= yes
PKGMESSAGE= ${WRKDIR}/pkg-message
SUB_FILES=  pkg-message
SUB_LIST+=  MAMBO_DIR=${MAMBO_DIR}
PLIST_SUB+= MAMBO_DIR=${MAMBO_DIR}

MAMBO_DIR?= www/${PORTNAME}
DIST_SUBDIR=  ${PORTNAME}

MAMBO_SRC=  MamboV4.5.3-stable.tar.gz
MAMBO_PATCH1= Mambo4523.security_fix.zip

do-extract:
    @${MKDIR} ${WRKSRC}
    @${TAR} -zxf ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_SRC} -C ${WRKSRC}
    @${UNZIP_CMD} -qo ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_PATCH1} -d ${WRKSRC}
    @${RM} -rf ${WRKSRC}/templates/rhuk_solarflare # remove empty

do-install:
    @${MKDIR} ${PREFIX}/${MAMBO_DIR}
    @cd ${WRKSRC} && \
      ${FIND} . -type d -exec ${MKDIR} ${PREFIX}/${MAMBO_DIR}/{} \; \
        -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \;
    @cd ${WRKSRC} && \
      ${FIND} . \! -type d -exec ${INSTALL_DATA} {} ${PREFIX}/${MAMBO_DIR}/{} \; \
        -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \;

post-install:
    @${CAT} ${PKGMESSAGE}

.include <bsd.port.mk>

pkg-plist:
EXTRACT_DEPENDS=  unzip:${PORTSDIR}/archivers/unzip

NO_BUILD= yes
USE_MYSQL=  yes
USE_PHP=  mysql session zlib gd pdf xml pcre
WANT_PHP_WEB= yes
PKGMESSAGE= ${WRKDIR}/pkg-message
SUB_FILES=  pkg-message
SUB_LIST+=  MAMBO_DIR=${MAMBO_DIR}
PLIST_SUB+= MAMBO_DIR=${MAMBO_DIR}

MAMBO_DIR?= www/${PORTNAME}
DIST_SUBDIR=  ${PORTNAME}

MAMBO_SRC=  MamboV4.5.3-stable.tar.gz
MAMBO_PATCH1= Mambo4523.security_fix.zip

do-extract:
    @${MKDIR} ${WRKSRC}
    @${TAR} -zxf ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_SRC} -C ${WRKSRC}
    @${UNZIP_CMD} -qo ${DISTDIR}/${DIST_SUBDIR}/${MAMBO_PATCH1} -d ${WRKSRC}
    @${RM} -rf ${WRKSRC}/templates/rhuk_solarflare # remove empty

do-install:
    @${MKDIR} ${PREFIX}/${MAMBO_DIR}
    @cd ${WRKSRC} && \
      ${FIND} . -type d -exec ${MKDIR} ${PREFIX}/${MAMBO_DIR}/{} \; \
        -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \;
    @cd ${WRKSRC} && \
      ${FIND} . \! -type d -exec ${INSTALL_DATA} {} ${PREFIX}/${MAMBO_DIR}/{} \; \
        -exec ${CHOWN} ${WWWOWN}:${WWWGRP} ${PREFIX}/${MAMBO_DIR}/{} \;

post-install:
    @${CAT} ${PKGMESSAGE}

.include <bsd.port.mk>


Thanks in advance
Francisco Alves Cabrita
>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-ports-bugs mailing list