Home page logo

bugtraq logo Bugtraq mailing list archives

[KAPDA::#41] - Mambo/Joomla rss component vulnerability
From: alireza hassani <trueend5 () yahoo com>
Date: Tue, 18 Apr 2006 07:07:51 -0700 (PDT)

KAPDA New advisory

Mambo website : http://www.mamboserver.com
Bug: Path Disclosure & Remote Denial Of Service
Exploitation: Remote with browser
Exploit: available

Mambo is a feature-rich dynamic portal engine/content
management tool capable of building sites from several
pages to several thousand. Mambo uses PHP/MySQL and
features a very comprehensive admin manager.

The Script does not properly validate user-supplied
input in rss.php.A remote user can supply a specially
crafted URL to cause the system to display an error
message that discloses the installation Path or force
the script to create Tons of superfluous xml files
which in some cases results in remote DOS attacks
against target.
Lets see Code Snippets:


// get feed type from url
$info[ 'feed' ] = mosGetParam( $_GET, 'feed', 'RSS2.0'

// set filename for rss feeds
$info[ 'file' ] = strtolower( str_replace( '.', '',
$info[ 'feed' ] ) );
$info[ 'file' ] = $mosConfig_absolute_path .'/cache/'.
$info[ 'file' ] .'.xml';

// save feed file
$rss->saveFeed( $info[ 'feed' ], $info[ 'file' ],
$showFeed );

/includes/feedcreator.class.php       // FeedCreator
class v1.7.2 , originally (c) Kai Blankenhorn

        function saveFeed($filename="",
$displayContents=true) {
                if ($filename=="") {
                        $filename = $this->_generateFilename();
                $feedFile = fopen($filename, "w+");
                if ($feedFile) {
                        if ($displayContents) {
                } else {
                        echo "<br /><b>Error creating feed file, please
check write permissions.</b><br />";

Demonstration URL:
Warning: fopen(path\to\mambo\test\\/>.xml)
[function.fopen]: failed to open stream: No such file
or directory in
path\to\mambo\includes\feedcreator.class.php on line

Its possible to perform distributed denial of service
attacks against Installed mambo on IIS servers
Specially when php runs as ISAPI module.  
will cause remote script to save arbitrary files in
cache folder And large amount of request will cause
IIS to returen "HTTP 403.9 - Access Forbidden: Too
many users are connected
Internet Information Services" to legitimate users.
Or from php5 as isapi module :
"PHP has encountered an Access Violation at 77F6103A"

There is no vendor supplied patch for this issue at
this time.
Original Advisories:
http://www.kapda.ir/advisory-313.html    [with
IN Farsi:

Credit :
Discovered & released by trueend5 (trueend5 kapda ir)
Security Science Researchers Institute Of Iran

Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]