View Issue Details

IDProjectCategoryView StatusLast Update
0000098websitewebsitepublic2003-12-12 08:30
Reporterherrold Assigned To 
Status resolvedResolutionfixed 
Product Versionunspecified 
Summary0000098: PRIVATE: [SCSA-023] Multiple vulnerabilities in Mambo Server
DescriptionSecurity Corporation Security Advisory [SCSA-023]

Multiple vulnerabilities in Mambo Server

PROGRAM: Mambo Server
VULNERABLE VERSIONS: 4.0.14 and 4.5 Beta 1.0.3
IMPACT: Redefining of configuration variables
Change of members's and administrator's informations

RELEASE DATE: 2003-12-10
You can found patchs at the following link :

The creator (Robert Castley) was notified, published a patch 2 for
version 4.0.1 (works only if the patch 1 was installed) and a Beta
1.0.14 version 4.5 was published for the vulnerabilities of 1.0.13.


25/11/2003 Vulnerability discovered
25/11/2003 Vendor notified
25/11/2003 Vendor response
25/11/2003 Security Corporation clients notified
28/11/2003 Started e-mail discussions
09/12/2003 Last e-mail received
10/12/2003 Public disclosure


frog-m@n <> is credited with this discovery
TagsNo tags attached.




2003-12-11 22:56

reporter   ~0000393

Last edited: 1970-01-01 00:00

Does this include the later post:

Mambo Open Source 4.0.14 SQL injection

There hasn't been any input validation for the variable artid. An attacker can
thus insert his own sql query and get the administrator md5 pass from mod_users
table and use it in cookie to gain admin access to the Mamboo CMS system.


2003-12-11 22:57

reporter   ~0000394

Last edited: 1970-01-01 00:00

Lance update with wrappers:

n response to the previous message I have changed apache config on to only allow access to /administrator from specific
listed ip addresses.

They are :- gmkurtzer lsd office lsd home mpirun adsl

in addition has accessed it in the past days but as I dont
know who it is I havent added it.

2003-12-11 23:32

reporter   ~0000395

Last edited: 1970-01-01 00:00

I'm not at all impressed with the fact that the 'patches' are not published or
mentioned on mambo website, but phpsecure, and they are not signed by mambo
developers ...

So I downloaded them from

It surprises me that they havent issued a new point release including the
patches, whats the point of letting people install the insecure version ??? now patched

2003-12-12 03:30

reporter   ~0000396

Last edited: 1970-01-01 00:00

aha :- == gmk_laptop


Issue History

Date Modified Username Field Change
2003-12-11 23:32 Status NEW => ASSIGNED
2003-12-12 03:30 Status ASSIGNED => RESOLVED
2003-12-12 03:30 Resolution => FIXED