View Issue Details

IDProjectCategoryView StatusLast Update
0000098websitewebsitepublic2003-12-12 08:30
Reporterherrold 
PrioritylowSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
PlatformOtherOSotherOS Version
Product Versionunspecified 
Target VersionFixed in Version 
Summary0000098: PRIVATE: [SCSA-023] Multiple vulnerabilities in Mambo Server
DescriptionSecurity Corporation Security Advisory [SCSA-023]

Multiple vulnerabilities in Mambo Server
======================================================================

PROGRAM: Mambo Server
HOMEPAGE: http://www.mamboserver.com
VULNERABLE VERSIONS: 4.0.14 and 4.5 Beta 1.0.3
RISK: Low/MEDIUM
IMPACT: Redefining of configuration variables
Change of members's and administrator's informations

RELEASE DATE: 2003-12-10
You can found patchs at the following link : http://www.phpsecure.info

The creator (Robert Castley) was notified, published a patch 2 for
version 4.0.1 (works only if the patch 1 was installed) and a Beta
1.0.14 version 4.5 was published for the vulnerabilities of 1.0.13.

. DISCLOSURE TIMELINE
======================================================================

25/11/2003 Vulnerability discovered
25/11/2003 Vendor notified
25/11/2003 Vendor response
25/11/2003 Security Corporation clients notified
28/11/2003 Started e-mail discussions
09/12/2003 Last e-mail received
10/12/2003 Public disclosure


7. CREDITS
======================================================================

frog-m@n <frog-man@security-corporation.com> is credited with this discovery
TagsNo tags attached.

Activities

herrold

herrold

2003-12-11 22:56

reporter   ~0000393

Last edited: 1970-01-01 00:00

Does this include the later post:

Mambo Open Source 4.0.14 SQL injection

There hasn't been any input validation for the variable artid. An attacker can
thus insert his own sql query and get the administrator md5 pass from mod_users
table and use it in cookie to gain admin access to the Mamboo CMS system.
herrold

herrold

2003-12-11 22:57

reporter   ~0000394

Last edited: 1970-01-01 00:00

Lance update with wrappers:

n response to the previous message I have changed apache config on
www.caosity.org to only allow access to /administrator from specific
listed ip addresses.

They are :-

128.3.10.49 gmkurtzer
62.245.38.17 lsd office
62.245.38.33 lsd home
65.64.190.32 mpirun adsl

in addition 63.207.100.120 has accessed it in the past days but as I dont
know who it is I havent added it.
lance@uklinux.net

lance@uklinux.net

2003-12-11 23:32

reporter   ~0000395

Last edited: 1970-01-01 00:00

I'm not at all impressed with the fact that the 'patches' are not published or
mentioned on mambo website, but phpsecure, and they are not signed by mambo
developers ...

So I downloaded them from www.sourceforge.net/mambo

It surprises me that they havent issued a new point release including the
patches, whats the point of letting people install the insecure version ???

www.caosity.org now patched
lance@uklinux.net

lance@uklinux.net

2003-12-12 03:30

reporter   ~0000396

Last edited: 1970-01-01 00:00

aha :- 63.207.100.120 == gmk_laptop

added

Issue History

Date Modified Username Field Change
2003-12-11 23:32 lance@uklinux.net Status NEW => ASSIGNED
2003-12-12 03:30 lance@uklinux.net Status ASSIGNED => RESOLVED
2003-12-12 03:30 lance@uklinux.net Resolution => FIXED