|
 |
| SecurityReason | ||
| WLB | ||
| RSS | ||
| Corporate | ||
| Services | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
| Details : SecurityAlert | ||||
 SecurityAlert : 2379 CVE : CVE-2006-7150 CVE : CVE-2006-7149 SecurityRisk : Medium  (About) Remote Exploit : Yes Local Exploit : No Exploit Given : Yes Credit : alireza hassani Published : 09.03.2007
Advisory Text : KAPDA New advisory Vendor: http://www.mamboserver.com Vulnerable Versions: 4.6.x Bug: XSS, Html Injection, Sql Injection Exploitation: Remote with browser Description: -------------------- Mambo is a feature-rich dynamic portal engine/content management tool capable of building sites from several pages to several thousand. Mambo uses PHP/MySQL and features a very comprehensive admin manager. Vulnerability: -------------------- XSS: Login module (mod_login.php) does not properly validate user-supplied input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. As a result, the code will be able to access the target user's cookies. Code Snippet: -------------------- mod_login.php Line: # 15 if (isset($_SERVER['QUERY_STRING']) AND $_SERVER['QUERY_STRING']) $return = 'index.php?'.$_SERVER['QUERY_STRING']; Lines# 26-27 $login = $params->def( 'login', $return ); $logout = $params->def( 'logout', $return ); Line: # 55 <input type="hidden" name="return" value="<?php echo sefRelToAbs( $logout ); ?>" /> Line: # 111 <input type="hidden" name="return" value="<?php echo sefRelToAbs( $login ); ?>" /> Demonstration URL: -------------------- http://localhost/index.php?kapda"><script>alert(document.cookie)</script > (When Login/logout form is loaded, Works regardless of php.ini settings) --------------------------------------------------------------------- Html and Sql injection: Comments Component does not properly validate user-supplied input on mcname -hidden field- that may allow remote users to inject arbitrary codes. The hostile code may be rendered in the web browser of the admin at the time of approval (if its enabled) or in the web browser of the victim users who will check the pages. Impersonate and Sql Injection also is possible due to the fact that there is no logical and Technical validation. Note that Html injection is limited up to 30 characters because of database length restriction And Conducting Sql injection is hard in the current version of mysql. Code Snippet: -------------------- moscomment.php Line:# 89-93 if ($my->username) { $comment_form .= "<INPUT TYPE='hidden' NAME='mcname' value='$my->username'>"; } else { $comment_form .= "<INPUT TYPE='hidden' NAME='mcname' value='".T_('GUEST')."'>"; } com_comment.php Lines:# 51-53 $query = "INSERT INTO #__comment SET articleid='$articleid', ip='$ip', name='$mcname', comments='$comments', startdate='$startdate', published='$auto_publish_comments';"; $database->setQuery($query); $database->query(); Solution: -------------------- There is not any vendor-supplied patch at this time. Original advisory: -------------------- http://www.kapda.ir/advisory-444.html Credit: -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://KAPDA.ir] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
*BSD libc (strfmon) Multiple vulnerabilities
Maksymilian Arciemowicz discovered a Integer Overflow vulnerability in the libc library "strfmon()" function.A vulnerability could allow an attacker who successfully exploits this vulnerability to take control of the affected *BSD systems. |
||
| Apache |  |
|
| PHP | |
|
» PHP 5.2.5 and prior : |
||
- 2008-03-25| Copyright © SecurityReason. All Rights Reserved. |