0000098: PRIVATE: [SCSA-023] Multiple vulnerabilities in Mambo Server - CentOS Bug Tracker

ID	Project	Category	View Status	Date Submitted	Last Update

0000098	website	website	public	2003-12-11 22:54	2003-12-12 08:30

Reporter	herrold	Assigned To
Priority	low	Severity	minor	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	Other	OS	other
Product Version	unspecified

Summary	0000098: PRIVATE: [SCSA-023] Multiple vulnerabilities in Mambo Server
Description	Security Corporation Security Advisory [SCSA-023] Multiple vulnerabilities in Mambo Server ====================================================================== PROGRAM: Mambo Server HOMEPAGE: http://www.mamboserver.com VULNERABLE VERSIONS: 4.0.14 and 4.5 Beta 1.0.3 RISK: Low/MEDIUM IMPACT: Redefining of configuration variables Change of members's and administrator's informations RELEASE DATE: 2003-12-10 You can found patchs at the following link : http://www.phpsecure.info The creator (Robert Castley) was notified, published a patch 2 for version 4.0.1 (works only if the patch 1 was installed) and a Beta 1.0.14 version 4.5 was published for the vulnerabilities of 1.0.13. . DISCLOSURE TIMELINE ====================================================================== 25/11/2003 Vulnerability discovered 25/11/2003 Vendor notified 25/11/2003 Vendor response 25/11/2003 Security Corporation clients notified 28/11/2003 Started e-mail discussions 09/12/2003 Last e-mail received 10/12/2003 Public disclosure 7. CREDITS ====================================================================== frog-m@n <frog-man@security-corporation.com> is credited with this discovery
Tags	No tags attached.

herrold 2003-12-11 22:56 reporter ~0000393 Last edited: 1970-01-01 00:00	Does this include the later post: Mambo Open Source 4.0.14 SQL injection There hasn't been any input validation for the variable artid. An attacker can thus insert his own sql query and get the administrator md5 pass from mod_users table and use it in cookie to gain admin access to the Mamboo CMS system.

herrold 2003-12-11 22:57 reporter ~0000394 Last edited: 1970-01-01 00:00	Lance update with wrappers: n response to the previous message I have changed apache config on www.caosity.org to only allow access to /administrator from specific listed ip addresses. They are :- 128.3.10.49 gmkurtzer 62.245.38.17 lsd office 62.245.38.33 lsd home 65.64.190.32 mpirun adsl in addition 63.207.100.120 has accessed it in the past days but as I dont know who it is I havent added it.

lance@uklinux.net 2003-12-11 23:32 reporter ~0000395 Last edited: 1970-01-01 00:00	I'm not at all impressed with the fact that the 'patches' are not published or mentioned on mambo website, but phpsecure, and they are not signed by mambo developers ... So I downloaded them from www.sourceforge.net/mambo It surprises me that they havent issued a new point release including the patches, whats the point of letting people install the insecure version ??? www.caosity.org now patched

lance@uklinux.net 2003-12-12 03:30 reporter ~0000396 Last edited: 1970-01-01 00:00	aha :- 63.207.100.120 == gmk_laptop added

Date Modified	Username	Field	Change
2003-12-11 23:32	lance@uklinux.net	Status	NEW => ASSIGNED
2003-12-12 03:30	lance@uklinux.net	Status	ASSIGNED => RESOLVED
2003-12-12 03:30	lance@uklinux.net	Resolution	=> FIXED