Potentially serious security flaws have been found in existing versions of the Mambo and Joomla content management systems, and developers of the two projects are advising users to install upgrades or security patches as soon as possible. Both programs are vulnerable to SQL injection attacks, which allow remote attackers to execute commands on the web server in by typing SQL code into form fields. Joomla is a fork of Mambo, with both programs derived from the same code base.
Mambo and Joomla are open source projects which use the PHP scripting language and MySQL database. These applications are popular with web site owners because they are powerful, user-friendly, and can be installed by users with little or no PHP coding experience. They are also frequently targeted by Internet criminals seeking to crack web servers for use in botnets, phishing scams and distributed denial of service (DDoS) attacks. The Internet Storm Center said it is receiving reports that older versions of Mambo are being actively targeted and exploited using unpatched vulnerabilities.
Ideally, user input in web forms is sanitized - checked to ensure that users are not attempting to introduce code to give instructions to the web server. Content management systems typically bring together blogs, forums, news feeds and link directories in a single application, making it easy for webmasters to manage large communities of users. As a result, CMs apps include a large number of forms accepting user input, increasing the likelihood that some form fields may not be properly secured, providing an opportunity for SQL injection attacks.
Open source CMS programs often find and fix security holes promptly. But as is the case with most web software, a significant number of users fail to install security patches in a timely fashion. This provides an opportunity for hackers, who typically use public advisories to identify security flaws in specific programs and files, and then query search engines to locate vulnerable versions of the software. Compromised web forums hosted more than 600 phishing spoof sites identified by the Netcraft Toolbar Community in 2005.