|
|
|
|
| |
| Mambo SiteServer 4.0 is a dynamic web content management tool built and is capable of building sites from several pages to several thousand. Comes complete with: 10 built in modules, WYSIWYG editor, site statistics, admin interface and much more. The Mambo product has been found to contain multiple security vulnerabilities. |
| |
Credit:
The information has been provided by euronymous.
|
| |
Vulnerable systems:
* Mambo Site Server version 4.0.11
1) PHP and system environment information
Mambo comes some common script, that use phpinfo() function. Phpinfo() prints a lot of sensitive information, include full physical paths, PHP settings etc. The script is placed under the Mambo's `administrator' directory, but is not protected by it:
http://hostname/mambo/administrator/phpinfo.php
2) Search.php XSS
In the search field of index page you can put any scripting code. This scripting code will be displayed causing a cross site scripting vulnerability.
3) Path disclosure
If you call index.php with a parameter, that he wasn't expected the following error message will be displayed:
====================================================
Fatal error: Maximum execution time of 30 seconds
exceeded in /var/www/html/mambo/classes/database.php
on line 30
====================================================
Example:
http://hostname/mambo/index.php?Itemid=some_foobar
4) Default administrative credentials
After installation, Mambo has a default account for managing the various components:
username: admin
password: admin
This should be changed as soon as possible. This is done via the administration pages accessible via the administrative login screen:
http://hostname/mambo/administrator
5) Suitable database access
If an administrator has installed phpMyAdmin and has not made any corresponding changes in configuration.php, a remote attacker will be able to access the database w/o any authorization whatsoever:
http://hostname/mambo/administrator/phpMyAdmin.php
6) Cross site scripting via `Your name' field
Within the account registration procedure you need to fill out several fields, such as username, password, etc. In `Your name' field you can put any scripting code. The code will be interpreted (executed) every time that some user reads the user's posts, news, etc.
|
|
|
|
|
|
|
|
|
|
