Mambo V4.6.x vulnerabilities

Advisory Content :

KAPDA New advisory

Vendor: http://www.mamboserver.com
Vulnerable Versions: 4.6.x
Bug: XSS, Html Injection, Sql Injection
Exploitation: Remote with browser

Description:
--------------------
Mambo is a feature-rich dynamic portal engine/content
management tool capable of building sites from several
pages to several thousand. Mambo uses PHP/MySQL and
features a very comprehensive admin manager.

Vulnerability:
--------------------
XSS:
Login module (mod_login.php) does not properly
validate user-supplied input. A remote user can create
a specially crafted URL that, when loaded by a target
user, will cause arbitrary scripting code to be
executed by the target user's browser. As a result,
the code will be able to access the target user's
cookies.

Code Snippet:
--------------------
mod_login.php
Line: # 15
if (isset($_SERVER['QUERY_STRING']) AND
$_SERVER['QUERY_STRING']) $return =
'index.php?'.$_SERVER['QUERY_STRING'];
Lines# 26-27
$login = $params->def( 'login', $return );
$logout = $params->def( 'logout', $return );
Line: # 55
<input type="hidden" name="return" value="<?php echo
sefRelToAbs( $logout ); ?>" />
Line: # 111
<input type="hidden" name="return" value="<?php echo
sefRelToAbs( $login ); ?>" />

Demonstration URL:
--------------------
http://localhost/index.php?kapda"><script>alert(document.cookie)</script
>
(When Login/logout form is loaded, Works regardless of
php.ini settings)

---------------------------------------------------------------------
Html and Sql injection:
Comments Component does not properly validate
user-supplied input on mcname -hidden field- that may
allow remote users to inject arbitrary codes. The
hostile code may be rendered in the web browser of the
admin at the time of approval (if its enabled) or in
the web browser of the victim users who will check the
pages.
Impersonate and Sql Injection also is possible due to
the fact that there is no logical and Technical
validation.
Note that Html injection is limited up to 30
characters because of database length restriction And
Conducting Sql injection is hard in the current
version of mysql.

Code Snippet:
--------------------
moscomment.php
Line:# 89-93
if ($my->username) {
$comment_form .= "<INPUT TYPE='hidden'
NAME='mcname' value='$my->username'>";
} else {
$comment_form .= "<INPUT TYPE='hidden'
NAME='mcname' value='".T_('GUEST')."'>";
}

com_comment.php
Lines:# 51-53
$query = "INSERT INTO #__comment SET
articleid='$articleid', ip='$ip', name='$mcname',
comments='$comments', startdate='$startdate',
published='$auto_publish_comments';";
$database->setQuery($query);
$database->query();

Solution:
--------------------
There is not any vendor-supplied patch at this time.

Original advisory:
--------------------
http://www.kapda.ir/advisory-444.html

Credit:
--------------------
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://KAPDA.ir]

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

Security

IT News

Search

SecurityAlert Database

About SecurityAlert

ExploitAlert Database

SecurityReason Research

WLB Database

Send to WLB

About WLB

Security Audit

Schedule

Prices of services

Contact

SecurityReason IT News

SecurityAlert

World Laboratory of Bugtraq

ExploitAlert

Apache

PHP

Contact

About SecurityReason