Mambo Open Source userpage.php SQL Injection

2003-12-10T00:00:00
ID OSVDB:7492
Type osvdb
Reporter frog-m@n(rog-man@security-corporation.com)
Modified 2003-12-10T00:00:00

Description

Vulnerability Description

Mambo contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that user input submitted to the 'userpage.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

Solution Description

Upgrade to version 4.0.14 patch 02 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Short Description

Mambo contains a flaw that will allow a remote attacker to inject arbitrary SQL code. The problem is that user input submitted to the 'userpage.php' script is not verified properly and will allow an attacker to inject or manipulate SQL queries.

References:

Vendor URL: http://www.mamboserver.com/ Secunia Advisory ID:10413 Related OSVDB ID: 2959 Related OSVDB ID: 7489 Related OSVDB ID: 7490 Related OSVDB ID: 7491 Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2003-12/0163.html ISS X-Force ID: 13961 Generic Informational URL: http://www.security-corporation.com/advisories-023.html Bugtraq ID: 9197