Date: 10 Dec 2003 17:56:31 -0000
From: Chintan Trivedi <[email protected]>
To: [email protected]Subject: Mambo Open Source 4.0.14 SQL injection
Product
-------
Mambo Open Source 4.0.14
Vendor
------
http://www.mamboserver.com
Details
-------
Mambo Open Source is the open source Web Content Management System. Mambo Open Source CMS is used by many websites including the commercial ones.
The function show() in mambo/articles.php file is like
function show ($articles, $database, $dbprefix, $artid, $gid, $db) {
$query = "SELECT title, content, author FROM ".$dbprefix."articles, ".$dbprefix."categories WHERE artid=$artid AND ".$dbprefix."articles.published=1 AND ".$dbprefix."categories.categoryid=".$dbprefix."articles.catid AND ".$dbprefix."categories.access <=$gid";
$result = $database->openConnectionWithReturn($query);
.
.
.
}
There hasn't been any input validation for the variable artid. An attacker can thus insert his own sql query and get the administrator md5 pass from mod_users table and use it in cookie to gain admin access to the Mamboo CMS system.
How do I know whether I am vulnerable ?
--------------------------------------------
http://www.sitewithmambo.com/index.php?option=articles&task=viewarticle&artid=5%20UNION%20somequery
If you get an error message as
Query failed with error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near 'UNION somequery AND mos_articles.published=1 AND mos_categories.
means you are vulnerable. An attacker can use "/*" to comment rest of the querry.
------------
Chintan Trivedi - http://www.hackersprogrammers.com
"Eye On Security Research Group India".
------------
