Mambo CMS 4.6.5 Denial Of Service / Disclosure

2012-01-10 / 2014-06-10
Risk: Low
Local: No
Remote: Yes
CWE: CWE-399


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: None
Integrity impact: None
Availability impact: Partial

Larry W. Cashdollar 1/2/2012 http://vapid.dhs.org About Mambo: "Mambo is a full-featured content management system that can be used for everything from simple websites to complex corporate applications." http://mambo-code.org? 1. Clear text password/crypt: Mambo stores mysql database password in clear text in the document root path. (default recommendation is to use root credentials) which is readable by any local user. Mambo also stores the admin password hash which is readable by any local user. from documentation: "http://help.mamboserver.com/index.php?option=com_content&task=view&id=41&Itemid=70 - CHMOD configuration.php to 777 Additional Notes on CHMOD [Permissions] - For additional security return configuration.php to CHMOD 644 after making changes." It should be chmod 600 and owned by whatever user the httpd process is running as at a minimum. 2. DoS An attacker doesn't have to be authenticated to start the process of uploading a file. The file won't be saved as xml from Connector.php is required, but memory and bandwidth are consumed. (legacy code from fckeditor) There might be more here to exploit.. actually uploading a .php file would be neat. http://<target ip>/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/frmupload.html 3. path disclosure There appears to be broken php scripts installed with the package: http://<target ip>/mambots/editors/mostlyce/jscripts/tiny_mce/imagemanager/thumbs.php & editorFrame.php editor.php images.php manager.php are all busted and return Warning: require(/var/wwwmambots/editors/mostlyce/jscripts/tiny_mce/auth_check.php) [function.require]: failed to open stream: No such file or directory in /var/www/mambots/editors/mostlyce/jscripts/tiny_mce/imagemanager/editorFrame.php on line 4 Fatal error: require() [function.require]: Failed opening required '/var/wwwmambots/editors/mostlyce/jscripts/tiny_mce/auth_check.php' (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/mambots/editors/mostlyce/jscripts/tiny_mce/imagemanager/editorFrame.php on line 4

References:

http://vapid.dhs.org


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top