Mambo V4.6.x vulnerabilities

2007.03.09
Credit: alireza hassani
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2006-7150 | CVE-2006-7149
CWE: N/A

KAPDA New advisory Vendor: http://www.mamboserver.com Vulnerable Versions: 4.6.x Bug: XSS, Html Injection, Sql Injection Exploitation: Remote with browser Description: -------------------- Mambo is a feature-rich dynamic portal engine/content management tool capable of building sites from several pages to several thousand. Mambo uses PHP/MySQL and features a very comprehensive admin manager. Vulnerability: -------------------- XSS: Login module (mod_login.php) does not properly validate user-supplied input. A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be executed by the target user's browser. As a result, the code will be able to access the target user's cookies. Code Snippet: -------------------- mod_login.php Line: # 15 if (isset($_SERVER['QUERY_STRING']) AND $_SERVER['QUERY_STRING']) $return = 'index.php?'.$_SERVER['QUERY_STRING']; Lines# 26-27 $login = $params->def( 'login', $return ); $logout = $params->def( 'logout', $return ); Line: # 55 <input type="hidden" name="return" value="<?php echo sefRelToAbs( $logout ); ?>" /> Line: # 111 <input type="hidden" name="return" value="<?php echo sefRelToAbs( $login ); ?>" /> Demonstration URL: -------------------- http://localhost/index.php?kapda"><script>alert(document.cookie)</script > (When Login/logout form is loaded, Works regardless of php.ini settings) --------------------------------------------------------------------- Html and Sql injection: Comments Component does not properly validate user-supplied input on mcname -hidden field- that may allow remote users to inject arbitrary codes. The hostile code may be rendered in the web browser of the admin at the time of approval (if its enabled) or in the web browser of the victim users who will check the pages. Impersonate and Sql Injection also is possible due to the fact that there is no logical and Technical validation. Note that Html injection is limited up to 30 characters because of database length restriction And Conducting Sql injection is hard in the current version of mysql. Code Snippet: -------------------- moscomment.php Line:# 89-93 if ($my->username) { $comment_form .= "<INPUT TYPE='hidden' NAME='mcname' value='$my->username'>"; } else { $comment_form .= "<INPUT TYPE='hidden' NAME='mcname' value='".T_('GUEST')."'>"; } com_comment.php Lines:# 51-53 $query = "INSERT INTO #__comment SET articleid='$articleid', ip='$ip', name='$mcname', comments='$comments', startdate='$startdate', published='$auto_publish_comments';"; $database->setQuery($query); $database->query(); Solution: -------------------- There is not any vendor-supplied patch at this time. Original advisory: -------------------- http://www.kapda.ir/advisory-444.html Credit: -------------------- Discovered & released by trueend5 (trueend5 kapda ir) Security Science Researchers Institute Of Iran [http://KAPDA.ir] __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top