GulfTech Computers - Professional Computer Services  
Additional Links
-> Dicussion Forum
-> Encryption Tools
-> Information Tools
-> Net Info Tools
-> Latest Advisories
-> Latest Vulns
-> Latest Win Software
-> Latest Nix Software
-> Security News
-> Security Press
Recent News

GulfTech Computers strives to beat the price(s) of any other business around. Check with us first as it just may save you some time and money. And who doesn't want to save money? Please contact us with any questions or inquiries.

Latest GulfTech Releases

SubScan v1.2 Scans a domain for DNS records and SubDomains. Very stealthy, and can be used to find many hosts not on the public netblock. A very interesting tool to say the least. Works on both Nix and Windows based systems. Get it now!

Download SubScan v1.2

Search GulfTech
You can use the form below to search our site. Just enter the keyword or keywords to search.
Latest Advisories
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : uudecode does not check for symlink or pipe (SCOSA-2004.7)
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : OpenSSL Multiple Vulnerabilities (SCOSA-2004.10)
SCO Security Advisory - OpenServer 5.0.6 OpenServer 5.0.7 : Xsco contains a buffer overflow that could be exploited to gain root privileges (SCOSA-2004.3)
SCO Security Advisory - UnixWare 7.1.3 Open UNIX 8.0.0 : Xsco contains a buffer overflow that could be exploited to gain root privileges. (SCOSA-2004.2)
Microsoft Security Bulletin Re-release, August 2004
Latest Vulnerabilities
OpenFTPD Format String Vulnerability
Fusion News Unauthorized Account Addition Vulnerability
Jaws 0.4 Authentication Bypass Vulnerability
DansGuardian Hex Encoding URL Banned Extension Filter Bypass Vulnerability
LostBook v1.1 Javascript Execution Vulnerability
Latest Security News
Anti-spam spamvertisers agree to quit
Black Hat day 2 sounds security alarm
VPNs (Virtual Private Nightmares)
HNS Newsletter issue 224 has been released
Long-awaited IE patch (finally) arrives















Mambo Open Source Multiple Vulnerabilities
March 16, 2022


Vendor : Mambo Open Source
URL : http://www.mamboserver.com
Version : Mambo Open Source 4.5 Stable 1.0.3 && Earlier
Risk : Multiple Vulnerabilities
BID : http://www.securityfocus.com/bid/9890
: http://www.securityfocus.com/bid/9891


Description:
Mambo Open Source is the finest open source Web Content Management System available today. Mambo Open Source makes communicating via the Web easy. Have you always wanted to have your own site but never understood how? Well Mambo Open Source is just the ticket! With Mambo Open Source there is no need for HTML, XML or DHTML skills, just enter your content, add a picture and then through the easy to use administrator web-interface ...click Publish! Simple ... Quick ... And easy! With the in-built editor Mambo Open Source allows you to design and create your content without the need for HTML code. Maintaining a website has never been easier.


Cross Site Scripting:
There are a few variables that will allow for XSS (cross site scripting) on most pages of a Mambo Open Source Installation. The variables in question are "return", and the variable "mos_change_template" variable. Below are some examples of these mentioned XSS problems.

index.php?return=[XSS]
index.php?mos_change_template=[XSS]

The "return" variable is just the contents of the url, so it allows you to pass pretty much any junk to the url and have it printed straight to the page without being validated.


SQL Injection && Query Tampering:
It is possible for an attacker or malicious user to influence SQL queries by altering the "id" variable. The below examples is not malicious so they will just trigger an error. The query gets passed near

"SELECT title FROM mos_categories WHERE id=[SQL]" in "pathway.php"

Please note that this vuln is also likely to exist in other places as well.

[VID] = A vaild id relating to the resource
[SQL] = An SQL query thats to be executed

index.php?option=content&task;=view&id;=[SQL]&Itemid;=[VID]
index.php?option=content&task;=category§ionid;=[VID]&id;=[SQL]&Itemid;=[VID]
index.php?option=content&task;=category§ionid;=[VID]&id;=[SQL]&Itemid;=[VID]

------[ Start Example Of Vuln Code ]------------------------------------------

if ($id) {
	$database->setQuery( "SELECT title FROM #__categories WHERE id=$id" );
	$title = $database->loadResult();
	echo $database->getErrorMsg();
	$id = max( array_keys( $mitems ) ) + 1;
	$mitem = pathwayMakeLink(
	$id,
	$title,
	"index.php?option=$option&task;=$task&id;=$id&Itemid;=$Itemid",
	$Itemid
	);
	$mitems[$id] = $mitem;
	$Itemid = $id;
}
------[ Ends Example Of Vuln Code ]-------------------------------------------

As you can see in this code snip from pathway.php, the variable $id is passed directly into the query without any sort of real validation. This is however resolved in the newly updated version of Mambo Open Source by requiring $id to be validated via the intval() function. That way it only returns a valid integer and thus prevents SQL injection from happening.


Solution:
Special thanks goes to Robert Castley for his very prompt, and professional response, and for the genuine concern regarding the security of Mambo Open Source server. A new version of the Mambo Open Source package is now available from thier official website and should be applied as soon as possible.


Credits:
Credits go to JeiAr of the GulfTech Security Research Team.






© Copyright 2002 - GulfTech Computers, All Rights Reserved
Contact GulfTech Computers