lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040316041725.22531.qmail@www.securityfocus.com>
Date: 16 Mar 2004 04:17:25 -0000
From: JeiAr <security@...ftech.org>
To: bugtraq@...urityfocus.com
Subject: Mambo Open Source Multiple Vulnerabilities




Vendor  : Mambo Open Source
URL     : http://www.mamboserver.com
Version : Mambo Open Source 4.5 Stable 1.0.3 && Earlier
Risk    : Multiple Vulnerabilities



Description:
Mambo Open Source is the finest open source Web Content Management System 
available today. Mambo Open Source makes communicating via the Web easy. 
Have you always wanted to have your own site but never understood how? Well 
Mambo Open Source is just the ticket! With Mambo Open Source there is no 
need for HTML, XML or DHTML skills, just enter your content, add a picture 
and then through the easy to use administrator web-interface ...click 
Publish! Simple ... Quick ... And easy! With the in-built editor Mambo Open 
Source allows you to design and create your content without the need for HTML 
code. Maintaining a website has never been easier. 



Cross Site Scripting:
There are a few variables that will allow for XSS (cross site scripting) on 
most pages of a Mambo Open Source Installation. The variables in question are 
"return", and the "mos_change_template" variable. Below are some examples of 
these mentioned XSS problems in action.

index.php?return=[XSS]
index.php?mos_change_template=[XSS]

The "return" variable is just the contents of the url, so it allows you to 
pass pretty much any junk to the url and have it printed straight to the page 
without being validated. This takes place on almost EVERY page within MOS



SQL Injection && Query Tampering:
It is possible for an attacker or malicious user to influence SQL queries by 
altering the "id" variable. The below examples is not malicious so they will 
just trigger an error. The query gets passed near 

"SELECT title FROM mos_categories WHERE id=[SQL]" in "pathway.php"

Please note that this vuln is also likely to exist in other places as well.

[VID] = A vaild id relating to the resource
[SQL] = An SQL query that's to be executed 

index.php?option=content&task=view&id=[SQL]&Itemid=[VID]
index.php?option=content&task=category&sectionid=[VID]&id=[SQL]&Itemid=[VID]
index.php?option=content&task=category&sectionid=[VID]&id=[SQL]&Itemid=[VID]


------[ Start Example Of Vuln Code ]------------------------------------------

if ($id) {
	$database->setQuery( "SELECT title FROM #__categories WHERE id=$id" );
	$title = $database->loadResult();
	echo $database->getErrorMsg();

	$id = max( array_keys( $mitems ) ) + 1;
	$mitem = pathwayMakeLink(
	$id,
	$title,
	"index.php?option=$option&amp;task=$task&amp;id=$id&amp;Itemid=$Itemid",
	$Itemid
	);
	$mitems[$id] = $mitem;
	$Itemid = $id;
}

------[ Ends Example Of Vuln Code ]-------------------------------------------

As you can see in this code snip from pathway.php, the variable $id is passed 
directly into the query without any sort of real validation. This is however 
resolved in the newly updated version of Mambo Open Source by requiring $id to be 
validated via the intval() function. That way it only returns a valid integer and 
thus prevents SQL injection from happening.



Solution:
Special thanks goes to Robert Castley for his very prompt, and professional response, 
and for the genuine concern regarding the security of Mambo Open Source server. A new 
version of the Mambo Open Source package is now available from their official website
and should be applied soon as possible. Advisory @ http://www.gulftech.org/03162004.php



Credits:
Credits go to JeiAr of the GulfTech Security Research Team. 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ