Secunia

Community Login

Customer Login

Partner Login

Overview

Advisories

Research

Forums

Create Profile

Our Commitment

Database

Advisories by Product

Advisories by Vendor

Terminology

Report Vulnerability

Insecure Library Loading

Secunia Advisory SA22221

Mambo Multiple Vulnerabilities

Secunia Advisory

SA22221

Get alerted and manage the vulnerability life cycle

Release Date

2006-10-05

Last Update

2007-03-14

Popularity

17,847 views

Comments

0 comments

Criticality level

Moderately critical

Impact

Cross Site Scripting
Manipulation of data

Where

From remote

Authentication level

Available in Customer Area

Report reliability

Available in Customer Area

Solution Status

Partial Fix

Systems affected

Available in Customer Area

Approve distribution

Available in Customer Area

Software:

Mambo 4.x

Secunia CVSS Score

Available in Customer Area

CVE Reference(s)

CVE-2006-7149 CVSS available in Customer Area
CVE-2006-7150 CVSS available in Customer Area

Description

Some vulnerabilities have been discovered in Mambo, which can be exploited by malicious people to conduct cross-site scripting, script insertion and SQL injection attacks.

1) Input passed to the "usercookie[password]" cookie parameter in includes/mambo.php (version 4.5.4) is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

Note: A weakness has also been reported, that allows users to change their passwords without knowing the old password. In combination these issues can be exploited to access the administration section.

The vulnerabilities are confirmed in version 4.5.4 with Security Patch 2, version 4.6, and version 4.6.1. Other versions may also be affected.

2) Input passed via the URL is not properly sanitised before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation requires that the user is running a browser that has not URL-encoded the request (e.g. Internet Explorer).

3) Input passed to the "mcname" parameter when posting a comment is not properly sanitised before it is used. This can be exploited to insert limited HTML and script code, which will be executed in an administrative user's browser session in context of an affected site when the malicious data is viewed.

4) Input passed to the "mcname" parameter when posting a comment is also not properly sanitised before it is used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires that "magic_quotes_gpc" is disabled.

The vulnerabilities are confirmed in version 4.6.1. Other versions may also be affected.

Solution
Update to version 4.5.4 SP3, which fixes vulnerability #1.
Further details available in Customer Area

Provided and/or discovered by
1) James Bercegay
2-4) trueend5

Changelog
Further details available in Customer Area

Original Advisory
1) http://www.gulftech.org/?node=research&article_id=00116-10042006
2-4) http://www.kapda.ir/advisory-444.html

Deep Links
Links available in Customer Area

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Mambo Multiple Vulnerabilities

No posts yet

Secunia

Secunia Advisory SA22221

Mambo Multiple Vulnerabilities

Do you have additional information related to this advisory?

You must be logged in to post a comment.

Secunia Customer Login

Not a customer already?