lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 10 Dec 2003 17:56:31 -0000
From: Chintan Trivedi <chesschintan@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Mambo Open Source 4.0.14 SQL injection





Product
-------
Mambo Open Source 4.0.14


Vendor
------
http://www.mamboserver.com


Details
-------
	Mambo Open Source is the open source Web Content Management System. Mambo Open Source CMS is used by many websites including the commercial ones.

The function show() in mambo/articles.php file is like 

function show ($articles, $database, $dbprefix, $artid, $gid, $db) {
	
	$query = "SELECT title, content, author FROM ".$dbprefix."articles, ".$dbprefix."categories WHERE artid=$artid AND ".$dbprefix."articles.published=1 AND ".$dbprefix."categories.categoryid=".$dbprefix."articles.catid AND ".$dbprefix."categories.access <=$gid";
	$result = $database->openConnectionWithReturn($query);

.
.
.
}

There hasn't been any input validation for the variable artid. An attacker can thus insert his own sql query and get the administrator md5 pass from mod_users table and use it in cookie to gain admin access to the Mamboo CMS system. 

How do I know whether I am vulnerable ?
--------------------------------------------

http://www.sitewithmambo.com/index.php?option=articles&task=viewarticle&artid=5%20UNION%20somequery

If you get an error message as 

Query failed with error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION somequery AND mos_articles.published=1 AND mos_categories.  

means you are vulnerable. An attacker can use "/*" to comment rest of the querry. 

------------

Chintan Trivedi - http://www.hackersprogrammers.com
"Eye On Security Research Group India". 

------------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ