Security Advisory SA22221 - Mambo Multiple Vulnerabilities

Secunia

Blog

Secunia Advisory SA22221

Mambo Multiple Vulnerabilities

Secunia Advisory

SA22221

Release Date

2006-10-05

Last Update

2007-03-14

Popularity

18,356 views

Comments

0 comments

Criticality level

Moderately critical

Impact

Cross Site Scripting
Manipulation of data

Where

From remote

Authentication level

This information is available to Secunia VIM customers

Report reliability

This information is available to Secunia VIM customers

Solution Status

Partial Fix

Systems affected

This information is available to Secunia VIM customers

Approve distribution

This information is available to Secunia VIM customers

Software:

Mambo 4.x

Secunia CVSS Score

This information is available to Secunia VIM Customers

CVE Reference(s)

CVE-2006-7149 CVSS score available to Secunia VIM customers
CVE-2006-7150 CVSS score available to Secunia VIM customers

Description

Some vulnerabilities have been discovered in Mambo, which can be exploited by malicious people to conduct cross-site scripting, script insertion and SQL injection attacks.

1) Input passed to the "usercookie[password]" cookie parameter in includes/mambo.php (version 4.5.4) is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

Note: A weakness has also been reported, that allows users to change their passwords without knowing the old password. In combination these issues can be exploited to access the administration section.

The vulnerabilities are confirmed in version 4.5.4 with Security Patch 2, version 4.6, and version 4.6.1. Other versions may also be affected.

2) Input passed via the URL is not properly sanitised before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that the user is running a browser that has not URL-encoded the request (e.g. Internet Explorer).

3) Input passed to the "mcname" parameter when posting a comment is not properly sanitised before it is used. This can be exploited to insert limited HTML and script code, which will be executed in an administrative user's browser session in context of an affected site when the malicious data is viewed.

4) Input passed to the "mcname" parameter when posting a comment is also not properly sanitised before it is used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

The vulnerabilities are confirmed in version 4.6.1. Other versions may also be affected.

Solution
Update to version 4.5.4 SP3, which fixes vulnerability #1.
Further details available to Secunia VIM customers

Provided and/or discovered by
1) James Bercegay
2-4) trueend5

Changelog
Further details available to Secunia VIM customers

Original Advisory
1) http://www.gulftech.org/?node=research&article_id=00116-10042006
2-4) http://www.kapda.ir/advisory-444.html

Deep Links
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Mambo Multiple Vulnerabilities

No posts yet

Secunia Advisory SA22221

Mambo Multiple Vulnerabilities

Do you have additional information related to this advisory?

You must be logged in to post a comment.

Secunia Customer Login

Not a customer already?