=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= topic: Multiple Mambo Site Server sec-weaknesses product: Mambo Site Server 4.0.11 vendor: http://sourceforge.org/projects/mambo risk: high date: 12/12/2k2 discovered by: euronymous /F0KP /HACKRU Team advisory urls: http://f0kp.iplus.ru/bz/010.en.txt http://f0kp.iplus.ru/bz/010.ru.txt =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= index ----- 1) php and system environment information 2) search.php xss 3) weak passwords allowed and account blocking 4) path disclosure 5) default administration credentials 6) suitable database access 7) script injecting via `Your name' field description ----------- 1) php and system environment information with mambo comming some common script, that use phpinfo() function, that print many important information, include full physical pathes, php settings and so on.. the script is placed under mambos `administrator' directory. http://hostname/mambo/administrator/phpinfo.php 2) search.php xss in search field of index page you can put any scripting code, and then it will interpreted by script above. 3) weak passwords allowed and account blocking registration.php will allow to you choose the password with 1 charaÓter in long. within account registration process you cannot use special chars (eg space char) as a password, but when you edit the your registered account and change password with one space char, then you cannot login, becose script output error message: `please complete username and password fields'. so, account was locked. 4) path disclosure if you call index.php with parameter, that not existent, then you can see following error mesage: ==================================================== Fatal error: Maximum execution time of 30 seconds exceeded in /var/www/html/mambo/classes/database.php on line 30 ==================================================== example url: http://hostname/mambo/index.php?Itemid=some_shit 5) default administration credentials just after installation, mambo have a default account for manage various site components.. it is a: username: admin password: admin administration login page: http://hostname/mambo/administrator 6) suitable database access if admin have installed phpMyAdmin and if he does make corresponding changes in configuration.php, then you can to access database w/o any authorisation and with k-comfortable web-interface )) http://hostname/mambo/administrator/phpMyAdmin.php 7) script injecting via `Your name' field within account register procedure you need to fill out several fields, such as username, password, etc. in `Your name' field you can put any scripting code, that will interpreted every time, when some user will read your articles, news, etc published via mambo site server. but there is some problem: until admin doesnt check the your article, it was not published.. shouts: HACKRU Team, DWC, DHG, Spoofed Packet, HUNGOSH, all russian security guyz!! to kate especially )) fuck_off: slavomira and other dirty ppl in *.kz ================ im not a lame, not yet a hacker ================
This archive was generated by hypermail 2b30 : Thu Dec 12 2002 - 11:43:46 PST