Torkil Johnsen has compiled a list of Mambo and Joomla 3rd party extensions and plugins that have known vulnerabilities. This is the list (with version numbers added for easy checking):
-com_videodb < = 0.3en
-SMF Forum Mambo Component < = 1.3.1.3
-extcalendar < = 2.0
-com_loudmouth < = 4.0j
-pc_cookbook < = 0.3
-per_forms < = 1.0
-MiniBB < = 1.5a
-com_hashcash < =1.2.1
-HTMLarea3 < = 1.5
-Sitemap < = 2.0
-pollxt < = 1.22.07
-SimpleBoard < = 1.1.0
-com_forum < = 1.2.4 RC3
-galleria < = 1.0b
-Pearl for Mambo < = 1.6
-CBSMS < = 1.0
-Mambo Comspray (mospray) < = 1.8 RC1
-Mosets Tree < = 1.58
-com_multibanners (unknown version)
-BSQ Sitestats < = 2.1.0
-JoomlaLib < = 1.2.1 Beta
-OpenSEF 2.0.0 RC5
-Google PageRank Module < = v1
-JoomlaBoard < = 1.1.1
-PHP Event Calendar < = 1.4
-Advanced Poll < = 2.20
-Jombook (unknown version)
-mosMedia < = 1.0.8
More are being reported on almost a daily basis. If you are running either Mambo or Joomla, please check which plugins/extensions you have installed. These do NOT have to be published or even seen from the frontend for them to be exploited.
I am keeping a list of vulnerable extensions on the Mambo Guru forum and Joomla also has a 3PD security forum now, so make sure you keep an eye on these and take whatever steps are recommended to secure your sites. Security update information is also being posted as I become aware of updates.
UPDATE: 2 August
Mambo now has a 3PD Security forum and I am now posting new exploits and fixes (if known) there.
If you enjoyed this post, make sure you subscribe to my RSS feed!
