=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= topic: Multiple Mambo Site Server sec-weaknesses product: Mambo Site Server 4.0.11 vendor: http://sourceforge.org/projects/mambo risk: high date: 12/12/2k2 discovered by: euronymous /F0KP /HACKRU Team advisory urls: http://f0kp.iplus.ru/bz/010.en.txt http://f0kp.iplus.ru/bz/010.ru.txt =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
1) php and system environment information 2) search.php xss 3) weak passwords allowed and account blocking 4) path disclosure 5) default administration credentials 6) suitable database access 7) script injecting via `Your name' field
1) php and system environment information
with mambo comming some common script, that use phpinfo() function, that print many important information, include full physical pathes, php settings and so on.. the script is placed under mambos `administrator' directory.
2) search.php xss
in search field of index page you can put any scripting code, and then it will interpreted by script above.
3) weak passwords allowed and account blocking
registration.php will allow to you choose the password with 1 charaсter in long. within account registration process you cannot use special chars (eg space char) as a password, but when you edit the your registered account and change password with one space char, then you cannot login, becose script output error message: `please complete username and password fields'. so, account was locked.
4) path disclosure
if you call index.php with parameter, that not existent, then you can see following error mesage:
==================================================== Fatal error: Maximum execution time of 30 seconds exceeded in /var/www/html/mambo/classes/database.php on line 30 ====================================================
5) default administration credentials
just after installation, mambo have a default account for manage various site components.. it is a:
username: admin password: admin
administration login page:
6) suitable database access
if admin have installed phpMyAdmin and if he does make corresponding changes in configuration.php, then you can to access database w/o any authorisation and with k-comfortable web-interface ))
7) script injecting via `Your name' field
within account register procedure you need to fill out several fields, such as username, password, etc. in `Your name' field you can put any scripting code, that will interpreted every time, when some user will read your articles, news, etc published via mambo site server. but there is some problem: until admin doesnt check the your article, it was not published..
shouts: HACKRU Team, DWC, DHG, Spoofed Packet, HUNGOSH, all russian security guyz!! to kate especially )) fuck_off: slavomira and other dirty ppl in *.kz
================ im not a lame, not yet a hacker ================