TUCoPS :: Web :: General :: sb5873.htm

Multiple Mambo Site Server sec-weaknesses
13th Dec 2002 [SBWID-5873]
COMMAND

	Multiple Mambo Site Server sec-weaknesses

SYSTEMS AFFECTED

	Mambo Site Server 4.0.11

PROBLEM

	euronymous, F0KP and HACKRU Team, released :
	
	 http://f0kp.iplus.ru/bz/010.en.txt
	 http://f0kp.iplus.ru/bz/010.ru.txt
	
	
	1) php and system environment information
	
	with mambo comming some common  script,  that  use  phpinfo()  function,
	that print many important information,  include  full  physical  pathes,
	php  settings  and  so  on..  the  script   is   placed   under   mambos
	`administrator' directory.
	
	http://hostname/mambo/administrator/phpinfo.php
	
	
	2) search.php xss
	
	in search field of index page you can put any scripting code,  and  then
	it will interpreted by script above.
	
	
	3) weak passwords allowed and account blocking
	
	registration.php will allow to you choose the password with 1  charaÓter
	in long. within account registration  process  you  cannot  use  special
	chars (eg space char)  as  a  password,  but  when  you  edit  the  your
	registered account and change password with one  space  char,  then  you
	cannot login, becose  script  output  error  message:  `please  complete
	username and password fields'. so, account was locked.
	
	
	4) path disclosure
	
	if you call index.php with parameter, that not existent,  then  you  can
	see following error mesage:
	
	====================================================
	Fatal error: Maximum execution time of 30 seconds 
	exceeded in /var/www/html/mambo/classes/database.php 
	on line 30
	====================================================
	
	example url:
	
	http://hostname/mambo/index.php?Itemid=some_shit
	
	
	5) default administration credentials
	
	just after  installation,  mambo  have  a  default  account  for  manage
	various site components.. it is a:
	
	username: admin
	password: admin
	
	administration login page:
	
	http://hostname/mambo/administrator
	
	
	6) suitable database access
	
	if admin have installed phpMyAdmin and if  he  does  make  corresponding
	changes in configuration.php, then you can to access  database  w/o  any
	authorisation and with k-comfortable web-interface ))
	
	http://hostname/mambo/administrator/phpMyAdmin.php 
	
	
	7) script injecting via `Your name' field
	
	within account register procedure you need to fill out  several  fields,
	such as username, password, etc. in `Your name' field you  can  put  any
	scripting code, that will interpreted every time, when  some  user  will
	read your articles, news, etc  published  via  mambo  site  server.  but
	there is some problem: until admin doesnt check  the  your  article,  it
	was not published..

SOLUTION

	See http://sourceforge.org/projects/mambo

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH