Book Image

Mastering Mambo : E-Commerce, Templates, Module Development, SEO, Security, and Performance

By : Christian Wenz, Tobias Hauser
Book Image

Mastering Mambo : E-Commerce, Templates, Module Development, SEO, Security, and Performance

By: Christian Wenz, Tobias Hauser

Overview of this book

<p>Mambo is a PHP-based Open Source CMS. Mambo is both easy to use at the entry level for creating basic websites, while having the power and flexibility to support complex web applications. <br /> <br /> Mambo implements the core requirements of a full featured CMS. It has a powerful and extensible templating system with the ability to upload and manage many different data types. User access control, content approval, rich administrative control, content display scheduling are all built-in. New features and extensions are constantly added to the core system, with many more being available and supported by the community.<br /> <br /> Most of the Mambo development team now works on a fork of Mambo known as Joomla. Mastering Mambo is fully compatible with Joomla's 1.0 release.</p>

Related Content you might be interested in

Current Title:

Small book image
Mastering Mambo : E-Commerce, Templates, Module Development, SEO, Security, and Performance
Christian Wenz | Tobias Hauser
Dec, 2005 | 304 pages
No titles found
Table of Contents (18 chapters)
Mastering Mambo
Mastering Mambo
Credits
Credits
About the Authors
About the Authors
Preface
Preface
Free Chapter
1
Basic Mambo Principles and Terms
Basic Mambo Principles and Terms
Front-End Configuration
Administration Interface
Summary
2
Designing Your Own Templates
Designing Your Own Templates
Template Manager
Your Own Template
Administrator Templates
Useful Stuff
Summary
3
Extensions: Modules, Mambots, and Components
Extensions: Modules, Mambots, and Components
Modules
Mambots
Components
Included Stuff
Summary
4
Internationalization
Internationalization
Languages and Language Packs
Mambel Fish
Summary
5
E-Commerce
E-Commerce
Installation
Functions
Administration of Products
Configuration
Customize and Extend
Summary
6
Forum
Forum
Alternatives
Installation
Configuration
Customizing and Extending
Summary
7
Document Administration with DOCMan
Document Administration with DOCMan
Installation
Administration of Documents
Configuration
Customization
Extensions
Summary
8
Even More Extensions
Even More Extensions
MosForms: Forms with Mambo
Community Builder
Calendar: Events
Picture Gallery: zOOm Gallery
Picture Gallery: RSGallery
Chat: MOS-Chat and Others
Some More Extensions
Summary
9
Your Own Modules, Mambots, and Components
Your Own Modules, Mambots, and Components
Your Own Modules
Your Own Mambots
Your Own Components
Summary
10
Search Engine Optimization
Search Engine Optimization
Google PageRank
Problems and Solutions
Specific Modules for Optimization
Summary
11
Mambo and Security
Mambo and Security
Security and CMS
Cross Site Scripting (XSS)
SQL Injection
Unexpected User Data
"Best Practices" for Secure Programming
Deployment on the Intranet, Extranet, or with Shared Hosts
Keeping Mambo Up to Date
Keeping the System Up to Date
Summary
12
Performance and Caching
Performance and Caching
Performance Fundamentals
Caching
High Performance Programming
High Performance Administration
Performance Tests
Summary
13
Accessibility
Accessibility
The Web Content Accessibility Guidelines
Tools for Developers
Tips for Editors
Summary
Index
Index

Unexpected User Data

The aforementioned two attack methods can be controlled relatively simply. User data that we did not expect was passed. You can find another example of this method of attack again in the old Mambo version 4.0.3 and also at http://secunia.com/advisories/9796/ for your review. The weak point was in the contact.php file. That is where the useful function of sending an email is located. Fortunately, this function is very cooperative; unfortunately, also with attackers. All you need to call it is the op=sendmail GET parameter: 

switch($op) {
    case "sendmail":
    sendmail($text, $from, $name, $email_to, $sitename);
    break;
    // ...
}

We are sure you remember that all GET parameters in this version are automatically raised to global variables. So, what happens in the sendmail() function? Primarily, the PHP mail() function is called with exactly the parameters that are passed to sendmail(): 

function sendmail($text, $from, $name, $email_to, $sitename){
    if ((isset...
Previous Section
End of Section 5
Next Section