Mambo Open Source 4.0.14 SQL injection

From: Chintan Trivedi (chesschintan_at_hotmail.com)
Date: 12/10/03

  • Next message: William Stockall: "Re: Internet Explorer URL parsing vulnerability"
    Date: 10 Dec 2003 17:56:31 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    Product
    -------
    Mambo Open Source 4.0.14

    Vendor
    ------
    http://www.mamboserver.com

    Details
    -------
            Mambo Open Source is the open source Web Content Management System. Mambo Open Source CMS is used by many websites including the commercial ones.

    The function show() in mambo/articles.php file is like

    function show ($articles, $database, $dbprefix, $artid, $gid, $db) {
            
            $query = "SELECT title, content, author FROM ".$dbprefix."articles, ".$dbprefix."categories WHERE artid=$artid AND ".$dbprefix."articles.published=1 AND ".$dbprefix."categories.categoryid=".$dbprefix."articles.catid AND ".$dbprefix."categories.access <=$gid";
            $result = $database->openConnectionWithReturn($query);

    .
    .
    .
    }

    There hasn't been any input validation for the variable artid. An attacker can thus insert his own sql query and get the administrator md5 pass from mod_users table and use it in cookie to gain admin access to the Mamboo CMS system.

    How do I know whether I am vulnerable ?
    --------------------------------------------

    http://www.sitewithmambo.com/index.php?option=articles&task=viewarticle&artid=5%20UNION%20somequery

    If you get an error message as

    Query failed with error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION somequery AND mos_articles.published=1 AND mos_categories.

    means you are vulnerable. An attacker can use "/*" to comment rest of the querry.

    ------------

    Chintan Trivedi - http://www.hackersprogrammers.com
    "Eye On Security Research Group India".

    ------------


  • Next message: William Stockall: "Re: Internet Explorer URL parsing vulnerability"

    Relevant Pages

    • GrayCMS php code injection
      ... ('binary' encoding is not supported, ... Severity: High ... Vendor: http://gcms.graymur.net/ ... ghc, 0xdeadbabe, unl0ck & others ...
      (Bugtraq)
    • myBloggie 2.1.1
      ... ('binary' encoding is not supported, ... # Vendor: http://www.mywebland.com/ ... [Infektion Group] ...
      (Bugtraq)
    • Remote IIS 5.x and IIS 6.0 Server Name Spoof
      ... ('binary' encoding is not supported, ... Vendor Status: Notified 28. ... Full Disclosure Proof of Consept at http://ingehenriksen.blogspot.com/ ...
      (Bugtraq)
    • XOOPS WebChat module - patch UPDATE
      ... ('binary' encoding is not supported, ... (you can download patched file from www.phpsecure.org) ... Vendor has still not answered. ... Sorry again for lost time:o| ...
      (Bugtraq)