PHPDeveloper.org

The Bakery: Mambo, Layout Switching, SimplePie and Caching Elements

Wed, 25 Jul 2007 11:09:00 -0500

The Bakery has four new articles/tutorials posted today covering things like Mambo's choice to go with CakePHP, a layout switcher, SimplePie and caching elements.

Mambo-licious - Join us in welcoming Mambo to the CakePHP community.
Automatic Layout Switcher - This component allows you to have two layouts for one site and switches between them automatically based on the domain.
SimplePie CakePHP Component - SimplePHP is a PHP class for retrieval and parsing of RSS feeds.
Cache Elements Individually For Each User - Caching elements in general has been discussed before on bakery and this article takes caching of an element to a higher level. This article explains how to cache elements individually for each user.

Be sure to check out the rest of The Bakery for more great CakePHP-related content and news.

Mambo Foundation Blog: Baking Mambo

Mon, 23 Jul 2007 16:22:58 -0500

According to this new post on the Mambo Foundation's blog, they've made a decision on what to base the next version of their software on - the CakePHP PHP framework.

After a great deal of research the Mambo team has decided to utilize the CakePHP framework for Mambo 5. CakePHP is a rapidly evolving, mature, and feature rich PHP framework. The project is backed by an official Foundation (http://cakefoundation.org/) much like the Mambo project itself. We believe this is an important criterion as it helps assure the project will remain active and community minded.

They include an overview of some of the features of the framework they plan to use including their flexible license, the simplicity of the development process and several "hot features" like built-in validation, access control lists and flexible view caching.

Secunia.com: Mambo Unspecified Bypass Vulnerabilities

Thu, 03 May 2007 09:38:00 -0500

Secunia.com has posted a new advisory today that Mambo users need to sit up and take notice of. There's a vulnerability that's been discovered that could allow the bypassing of security restrictions in the application.

A vulnerability is caused due to insufficient privilege checks in includes/pdf.php. No further information is currently available.

A vulnerability is caused due to insufficient privilege checks in MOStlyDB Admin. Successful exploitation requires valid administrator credentials. No further information is currently available.

If you're using Mambo version 4.6.1 or prior, it's recommended that you update as soon as possible to the latest release, version 4.6.2.

Community News: Mambo Lead Developer Quits

Mon, 08 May 2006 09:42:39 -0500

According to this post on his blog today, one of the board memebers from the Mambo project, Martin N Brampton is formally leaving his position.

I now feel it necessary to resign from the Board of the Mambo Foundation with immediate effect. Since joining the Board, a number of minor irregularities have been evident, and not all of them have been rectified even though I have sought to raise them. It is apparent that early decisions were taken by exchange of email and no records were kept. Present banking arrangements breach the Foundation's rules.

In terms of fundamental principles, there is a considerable concern in my mind that the Board is not informing itself about the members wishes, and not making decisions that fully take account of their interests. I see this as a breach of trust.

He goes on to talk about some of the ongoing issues that the Board faced, including misinformation about trademark issues and their change to allow the membership of the Foundation to suggest rule changes.

As the majority decisions being made by the Board conflict with my understanding of those obligations, I cannot continue as a Board member any longer. As there was no resolution to appoint me to the Board, I am unsure how you will handle my resignation. I will remain a member of the Foundation and continue with my work in Mambo development.

For the complete story, check out this official release...

Community News: Mambo Foundation Podcasts

Thu, 08 Dec 2005 08:42:30 -0600

The Mambo Foundation has released a series of podcasts lately covering all sorts of different subjects.

Episode 1 - Mambo love, new team members, Mamboday in Italy, and the current state of development.
Episode 2 - a Q&A session, Mastering Mambo, phpfreelancer.org, and an interview with two developers from mambohub.com
Episode 3 - an interview with Christian Wenz, a template design contest, users survey, and the "Component Corner"

If you haven't gotten a chance to check them out yet, grab one and give it a listen. You can also subscribe to their feed to catch the latest...

Christian Wenz's Blog: Mastering Mambo Published!

Thu, 08 Dec 2005 08:00:59 -0600

On Christian Wenz's blog today, there's an announcement about one of the latest books from Packt - Mastering Mambo which he was a co-author on.

When Tobias and I created the CMS book series for German publisher Hanser, we also wrote the first series title on Mambo/Joomla!. We afterwards sold the translation rights to Packt Publishing. They already had a Mambo book, but liked our material so they took the last two thirds of the book, translated it and thereby created "Mastering Mambo".

The book covers topics like creating custom layouts, builing multilingual sites, using a forum, using the Mambo extensions, and how to develop your own modules...

Christopher Kunz's Blog: Mambo worm in the wild

Tue, 06 Dec 2005 06:50:24 -0600

According to this post on Christopher Kunz today, there's a Mambo-targeted worm out "in the wild" called Elxbot.

Well, it wasn't totally unexpected, I guess. The recently discovered remote code execution hole in Mambo has spawned a nifty little worm, called "Elxbot". I actually referred to the (then still fairly unknown) vulnerability and to the possibility that it might be abused by worm writers in my talk at the last PHP Conference.

I am already expecting a similar outbreak for the PHPKIT holes I recently reported. It has all of the features that I outlined above, although the install base is probably somewhat limited to german users (and there, mainly to gaming clans). Seeing this, I didn't actually publish a PoC for the remote code execution hole, but it is somewhat trivial to find and exploit anyway.

The worm itself searches Google for available targets, infects the system, and connects to an IRC server where the controlling party is waiting. From there things like arbitrary command execution, TCP floods, HTTP floods, and Portscans can be made. For complete information, check out this page on the Outpost24.com site...