Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: CMS / Portals :: b06-5350.htm

Mambo V4.6.x vulnerabilities
Mambo V4.6.x vulnerabilities
Mambo V4.6.x vulnerabilities

KAPDA New advisory

Vulnerable Versions: 4.6.x
Bug: XSS, Html Injection, Sql Injection
Exploitation: Remote with browser

Mambo is a feature-rich dynamic portal engine/content
management tool capable of building sites from several
pages to several thousand. Mambo uses PHP/MySQL and
features a very comprehensive admin manager.

Login module (mod_login.php) does not properly
validate user-supplied input. A remote user can create
a specially crafted URL that, when loaded by a target
user, will cause arbitrary scripting code to be
executed by the target user's browser. As a result,
the code will be able to access the target user's

Code Snippet:
Line: # 15
$_SERVER['QUERY_STRING']) $return 'index.php?'.$_SERVER['QUERY_STRING'];
Lines# 26-27
$login 		= $params->def( 'login', $return );
$logout 	= $params->def( 'logout', $return );
Line: # 55

Line: # 111

Demonstration URL: 
(When Login/logout form is loaded, Works regardless of
php.ini settings)

Html and Sql injection:
Comments Component does not properly validate
user-supplied input on mcname -hidden field- that may
allow remote users to inject arbitrary codes. The
hostile code may be rendered in the web browser of the
admin at the time of approval (if its enabled) or in
the web browser of the victim users who will check the
Impersonate and Sql Injection also is possible due to
the fact that there is no logical and Technical
Note that Html injection is limited up to 30
characters because of database length restriction And
Conducting Sql injection is hard in the current
version of mysql.

Code Snippet:
Line:# 89-93
 if ($my->username) {
          $comment_form .= "";
        } else {
          $comment_form .= "";

Lines:# 51-53
	$query = "INSERT INTO #__comment SET
articleid='$articleid', ip='$ip', name='$mcname',
comments='$comments', startdate='$startdate',

There is not any vendor-supplied patch at this time.

Original advisory:

Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH