|
Date: 10/12/03
Product : Mambo Open Source 4.0.14 webserver
Vendor : www.mamboserver.com
Discovered By : Chintan Trivedi - chesschintan [at] hotmail.com
Security Focus : http://www.securityfocus.com/archive/1/347137 l
===========================================================
Advisory by Eye On Security Research Group - India www.eos-india.net
===========================================================
Product
-------
Mambo Open Source 4.0.14
Vendor
------
http://www.mamboserver.com
Details
-------
Mambo Open Source is the open source Web Content Management System.
Mambo
Open Source CMS is used by many websites including the commercial ones.
The function show() in mambo/articles.php file is like
function show ($articles, $database, $dbprefix, $artid, $gid, $db) {
$query = "SELECT title, content, author FROM ".$dbprefix."articles,
".
$dbprefix."categories WHERE artid=$artid AND ".$dbprefix."articles.published=1
AND ".$dbprefix."categories.categoryid=".$dbprefix."articles.catid
AND ".$dbprefix.
"categories.access <=$gid";
$result = $database->openConnectionWithReturn($query);
.
.
.
}
There hasn't been any input validation for the variable artid. An attacker
can thus
insert his own sql query and get the administrator md5 pass from
mod_users table
and use it in cookie to gain admin access to the Mamboo
CMS system.
How do I know whether I am vulnerable ?
--------------------------------------------
http://www.sitewithmambo.com/index.php?option=articles&task=viewarticle&artid=
5%20UNION%20somequery
If you get an error message as
Query failed with error: You have an error in your SQL syntax. Check the
manual that corresponds to your MySQL server version for the right syntax
to use near 'UNION somequery AND mos_articles.published=1 AND mos_categories.
means you are vulnerable. An attacker can use "/*" to comment
rest of the querry.
------------
Chintan Trivedi - http://www.hackersprogrammers.com
"Eye On Security Research Group India".
------------ |
