Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:14772
HistoryOct 21, 2006 - 12:00 a.m.

[KAPDA::#60] Mambo V4.6.x vulnerabilities

2006-10-2100:00:00
vulners.com
28

KAPDA New advisory

Vendor: http://www.mamboserver.com
Vulnerable Versions: 4.6.x
Bug: XSS, Html Injection, Sql Injection
Exploitation: Remote with browser

Description:

Mambo is a feature-rich dynamic portal engine/content
management tool capable of building sites from several
pages to several thousand. Mambo uses PHP/MySQL and
features a very comprehensive admin manager.

Vulnerability:

XSS:
Login module (mod_login.php) does not properly
validate user-supplied input. A remote user can create
a specially crafted URL that, when loaded by a target
user, will cause arbitrary scripting code to be
executed by the target user's browser. As a result,
the code will be able to access the target user's
cookies.

Code Snippet:

mod_login.php
Line: # 15
if (isset($_SERVER['QUERY_STRING']) AND
$_SERVER['QUERY_STRING']) $return =
'index.php?'.$_SERVER['QUERY_STRING'];
Lines# 26-27
$login = $params->def( 'login', $return );
$logout = $params->def( 'logout', $return );
Line: # 55
<input type="hidden" name="return" value="<?php echo
sefRelToAbs( $logout ); ?>" />
Line: # 111
<input type="hidden" name="return" value="<?php echo
sefRelToAbs( $login ); ?>" />

Demonstration URL:

http://localhost/index.php?kapda&quot;&gt;&lt;script&gt;alert&#40;document.cookie&#41;&lt;/script
>
(When Login/logout form is loaded, Works regardless of
php.ini settings)


Html and Sql injection:
Comments Component does not properly validate
user-supplied input on mcname -hidden field- that may
allow remote users to inject arbitrary codes. The
hostile code may be rendered in the web browser of the
admin at the time of approval (if its enabled) or in
the web browser of the victim users who will check the
pages.
Impersonate and Sql Injection also is possible due to
the fact that there is no logical and Technical
validation.
Note that Html injection is limited up to 30
characters because of database length restriction And
Conducting Sql injection is hard in the current
version of mysql.

Code Snippet:

moscomment.php
Line:# 89-93
if ($my->username) {
$comment_form .= "<INPUT TYPE='hidden'
NAME='mcname' value='$my->username'>";
} else {
$comment_form .= "<INPUT TYPE='hidden'
NAME='mcname' value='".T_('GUEST')."'>";
}

com_comment.php
Lines:# 51-53
$query = "INSERT INTO #__comment SET
articleid='$articleid', ip='$ip', name='$mcname',
comments='$comments', startdate='$startdate',
published='$auto_publish_comments';";
$database->setQuery($query);
$database->query();

Solution:

There is not any vendor-supplied patch at this time.

Original advisory:

http://www.kapda.ir/advisory-444.html

Credit:

Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran
[http://KAPDA.ir]


Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com