James Bercegay has reported some vulnerabilities in Mambo, which can be exploited by malicious people to conduct SQL injection attacks and potentially compromise a vulnerable system.

1) Input passed to the "username" parameter in /includes/mambo.php isn't properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows bypassing of authentication but that "magic_quotes_gpc" is disabled. This may be further exploited to login as the admin user to install and execute arbitrary modules.

2) Input passed to the "task" parameter in index2.php and to the "filter" parameter in the "com_content" component isn't properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Some other parameters may reportedly also be affected.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

3) Input passed to the "imos_change_template" parameter in the _setTemplate() function isn't properly verified, before it is used to include files. This can be exploited to include "index.php" files from arbitrary local directories via directory traversal attacks.

It is also possible to create files in the "cache" directory via the "feed" parameter passed in the RSS component.

The vulnerabilities have been reported in versions 4.5.3 and 4.5.3h. Prior versions may also be affected.

Solution
Update to version 4.5.4.
Further details available to Secunia VIM customers

Provided and/or discovered by
James Bercegay, GulfTech Security Research Team.

Additional information provided by trueend5, Security Science Researchers Institute Of Iran.

Changelog
Further details available to Secunia VIM customers

Original Advisory
http://www.gulftech.org/?node=research&article_id=00104-02242006

Deep Links
Links available to Secunia VIM customers