|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: euronymous (just-a-user_at_yandex.ru)
Date: Thu Dec 12 2002 - 07:28:40 CST
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: Multiple Mambo Site Server sec-weaknesses
product: Mambo Site Server 4.0.11
vendor: http://sourceforge.org/projects/mambo
risk: high
date: 12/12/2k2
discovered by: euronymous /F0KP /HACKRU Team
advisory urls: http://f0kp.iplus.ru/bz/010.en.txt
http://f0kp.iplus.ru/bz/010.ru.txt
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
index
-----
1) php and system environment information
2) search.php xss
3) weak passwords allowed and account blocking
4) path disclosure
5) default administration credentials
6) suitable database access
7) script injecting via `Your name' field
description
-----------
1) php and system environment information
with mambo comming some common script, that use phpinfo()
function, that print many important information, include
full physical pathes, php settings and so on.. the script
is placed under mambos `administrator' directory.
http://hostname/mambo/administrator/phpinfo.php
2) search.php xss
in search field of index page you can put any scripting
code, and then it will interpreted by script above.
3) weak passwords allowed and account blocking
registration.php will allow to you choose the password
with 1 charaÓter in long. within account registration
process you cannot use special chars (eg space char) as
a password, but when you edit the your registered
account and change password with one space char, then
you cannot login, becose script output error message:
`please complete username and password fields'. so,
account was locked.
4) path disclosure
if you call index.php with parameter, that not existent,
then you can see following error mesage:
====================================================
Fatal error: Maximum execution time of 30 seconds
exceeded in /var/www/html/mambo/classes/database.php
on line 30
====================================================
example url:
http://hostname/mambo/index.php?Itemid=some_shit
5) default administration credentials
just after installation, mambo have a default account
for manage various site components.. it is a:
username: admin
password: admin
administration login page:
http://hostname/mambo/administrator
6) suitable database access
if admin have installed phpMyAdmin and if he does make
corresponding changes in configuration.php, then you
can to access database w/o any authorisation and with
k-comfortable web-interface ))
http://hostname/mambo/administrator/phpMyAdmin.php
7) script injecting via `Your name' field
within account register procedure you need to fill out
several fields, such as username, password, etc.
in `Your name' field you can put any scripting code,
that will interpreted every time, when some user will
read your articles, news, etc published via mambo site
server. but there is some problem: until admin doesnt
check the your article, it was not published..
shouts: HACKRU Team, DWC, DHG, Spoofed Packet, HUNGOSH,
all russian security guyz!! to kate especially ))
fuck_off: slavomira and other dirty ppl in *.kz
================
im not a lame,
not yet a hacker
================
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]