Multiple Mambo Site Server sec-weaknesses

Type securityvulns
Reporter Securityvulns
Modified 2002-12-14T00:00:00


=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::= topic: Multiple Mambo Site Server sec-weaknesses product: Mambo Site Server 4.0.11 vendor: risk: high date: 12/12/2k2 discovered by: euronymous /F0KP /HACKRU Team advisory urls: =:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=


1) php and system environment information 2) search.php xss 3) weak passwords allowed and account blocking 4) path disclosure 5) default administration credentials 6) suitable database access 7) script injecting via `Your name' field


1) php and system environment information

with mambo comming some common script, that use phpinfo() function, that print many important information, include full physical pathes, php settings and so on.. the script is placed under mambos `administrator' directory.


2) search.php xss

in search field of index page you can put any scripting code, and then it will interpreted by script above.

3) weak passwords allowed and account blocking

registration.php will allow to you choose the password with 1 charaсter in long. within account registration process you cannot use special chars (eg space char) as a password, but when you edit the your registered account and change password with one space char, then you cannot login, becose script output error message: `please complete username and password fields'. so, account was locked.

4) path disclosure

if you call index.php with parameter, that not existent, then you can see following error mesage:

==================================================== Fatal error: Maximum execution time of 30 seconds exceeded in /var/www/html/mambo/classes/database.php on line 30 ====================================================

example url:


5) default administration credentials

just after installation, mambo have a default account for manage various site components.. it is a:

username: admin password: admin

administration login page:


6) suitable database access

if admin have installed phpMyAdmin and if he does make corresponding changes in configuration.php, then you can to access database w/o any authorisation and with k-comfortable web-interface ))


7) script injecting via `Your name' field

within account register procedure you need to fill out several fields, such as username, password, etc. in `Your name' field you can put any scripting code, that will interpreted every time, when some user will read your articles, news, etc published via mambo site server. but there is some problem: until admin doesnt check the your article, it was not published..

shouts: HACKRU Team, DWC, DHG, Spoofed Packet, HUNGOSH, all russian security guyz!! to kate especially )) fuck_off: slavomira and other dirty ppl in *.kz

================ im not a lame, not yet a hacker ================