Right from the start of Mambo development back in 2000, Mambo was designed to be modular in its approach and has encouraged the development of mambots, modules, components and templates by third party developers (3PD's). With its GNU/GPL Version 2 license and use of PHP and MySQL, Mambo made developing additional features easy.
Anyone can develop an extension for Mambo and release it. Today, there are hundreds of 3rd party extensions in active development and over the 8 years of Mambo's life many extensions have fallen into disuse or been abandoned by their developers. The richness of these additional 3rd party features has helped to take Mambo to where it is today - one of the most popular free, open source content management systems in the world.
Mambo's success has also led to unwanted attention from malicious types, such as those who hack and deface others' sites. While Mambo code itself is secure when a site and server have been properly configured, 3rd party extensions are developed by people with a range of coding skills and security knowledge. Most successful hacks of Mambo-based web sites are through the site using vulnerable extensions.
What is a vulnerable extension?
A vulnerable extension is one that has been found to contain (or contribute to) a security vulnerability.
Vulnerable extensions are not necessarily poorly-coded extensions. As the Web evolves, technical requirements and commonly accepted coding practices also change. Active projects release new versions of their extensions as requirements change.
For this reason, it is important to:
- Know the version numbers of all installed extensions.
- Use only the latest stable version of all extensions.
- Completely remove all files of insecure or unused extensions.
The most common vulnerabilities were identified in 2006:
- Not including defined('_VALID_MOS') or die… statements;
- Poorly constructed include() statements.
For security, extensions should not require the server to be more open than is needed for the proper running of Mambo. Any extensions that require register_globals to be on, or that cannot run without open permissions should not be used.
How to check if an extension is safe?
Many Mambo extensions exist thanks to the way Mambo is designed to make it easy to create new components and modules, and to add them to an existing installation. The problem with adding extensions to Mambo is that poorly coded extensions can make your Mambo site vulnerable to security exploits.
- It is extremely important that you chose your extensions wisely!
- Look for extensions that are still under active development.
- Be very careful of any extensions that have not been updated in the past six months.
When you download an extension, have a look at the source code in a text editor. Make sure every file contains this code in the first lines at the top of the file:
// Don't allow direct linking defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' );
If the code is not there - add it!
- If at all possible, run your site with register_globals set to OFF. (Note: some extensions won't work with register_globals OFF, but this setting does minimise the security risk).
- Before you install, use your search engine to do a search for any reports of vulnerabilities that are known about the extension you wish to use.
- You can also search these sites:
http://www.securityfocus.com/
http://secunia.com/
If you have any doubts about the security of the extension, contact the developer and ask for assurances.
Administrator Tips
Performance
Search Engine Optimisation
Security Tips
Talk Mambo
Templates
User Tutorials