[NEWS] Multiple Mambo Site Server Security Weaknesses

• Previous message: support@securiteam.com: "[UNIX] Fetchmail Remote Vulnerability (Localhost @)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: support@securiteam.com
To: list@securiteam.com
Date: 15 Dec 2002 23:50:02 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

Beyond Security would like to welcome Tiscali World Online
to our service provider team.
For more info on their service offering IP-Secure,
please visit http://www.worldonline.co.za/services/work_ip.asp
- - - - - - - - -

  Multiple Mambo Site Server Security Weaknesses
------------------------------------------------------------------------

SUMMARY

 <http://sourceforge.net/projects/mambo> Mambo SiteServer 4.0 is a dynamic
web content management tool built and is capable of building sites from
several pages to several thousand. Comes complete with: 10 built in
modules, WYSIWYG editor, site statistics, admin interface and much more.
The Mambo product has been found to contain multiple security
vulnerabilities.

DETAILS

Vulnerable systems:
 * Mambo Site Server version 4.0.11

1) PHP and system environment information
Mambo comes some common script, that use phpinfo() function. Phpinfo()
prints a lot of sensitive information, include full physical paths, PHP
settings etc. The script is placed under the Mambo's `administrator'
directory, but is not protected by it:
http://hostname/mambo/administrator/phpinfo.php

2) Search.php XSS
In the search field of index page you can put any scripting code. This
scripting code will be displayed causing a cross site scripting
vulnerability.

3) Path disclosure
If you call index.php with a parameter, that he wasn't expected the
following error message will be displayed:
 ====================================================
Fatal error: Maximum execution time of 30 seconds
exceeded in /var/www/html/mambo/classes/database.php
on line 30
 ====================================================

Example:
http://hostname/mambo/index.php?Itemid=some_foobar

4) Default administrative credentials
After installation, Mambo has a default account for managing the various
components:
username: admin
password: admin

This should be changed as soon as possible. This is done via the
administration pages accessible via the administrative login screen:
http://hostname/mambo/administrator

5) Suitable database access
If an administrator has installed phpMyAdmin and has not made any
corresponding changes in configuration.php, a remote attacker will be able
to access the database w/o any authorization whatsoever:
http://hostname/mambo/administrator/phpMyAdmin.php

6) Cross site scripting via `Your name' field
Within the account registration procedure you need to fill out several
fields, such as username, password, etc. In `Your name' field you can put
any scripting code. The code will be interpreted (executed) every time
that some user reads the user's posts, news, etc.

ADDITIONAL INFORMATION

The information has been provided by <mailto:just-a-user@yandex.ru>
euronymous.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

• Next message: support@securiteam.com: "[UNIX] PFinger Format String Vulnerability (Format String)"
• Previous message: support@securiteam.com: "[UNIX] Fetchmail Remote Vulnerability (Localhost @)"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]