Multiple Mambo Site Server sec-weaknesses

["euronymous" <just-a-user () yandex ru>]

=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=
topic: Multiple Mambo Site Server sec-weaknesses
product: Mambo Site Server 4.0.11
vendor: http://sourceforge.org/projects/mambo
risk: high
date: 12/12/2k2
discovered by: euronymous /F0KP /HACKRU Team
advisory urls: http://f0kp.iplus.ru/bz/010.en.txt
               http://f0kp.iplus.ru/bz/010.ru.txt 
=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=:=:=::=

index
-----

1) php and system environment information
2) search.php xss
3) weak passwords allowed and account blocking
4) path disclosure
5) default administration credentials
6) suitable database access
7) script injecting via `Your name' field


description
-----------

1) php and system environment information

with mambo comming some common script, that use phpinfo()
function, that print many important information, include
full physical pathes, php settings and so on.. the script
is placed under mambos `administrator' directory.  

http://hostname/mambo/administrator/phpinfo.php


2) search.php xss

in search field of index page you can put any scripting 
code, and then it will interpreted by script above.


3) weak passwords allowed and account blocking

registration.php will allow to you choose the password
with 1 charaсter in long. within account registration
process you cannot use special chars (eg space char) as 
a password, but when you edit the your registered 
account and change password with one space char, then
you cannot login, becose script output error message:
`please complete username and password fields'. so, 
account was locked. 


4) path disclosure

if you call index.php with parameter, that not existent,
then you can see following error mesage:

====================================================
Fatal error: Maximum execution time of 30 seconds 
exceeded in /var/www/html/mambo/classes/database.php 
on line 30
====================================================

example url: 

http://hostname/mambo/index.php?Itemid=some_shit


5) default administration credentials

just after installation, mambo have a default account
for manage various site components.. it is a:

username: admin
password: admin

administration login page:  

http://hostname/mambo/administrator


6) suitable database access

if admin have installed phpMyAdmin and if he does make
corresponding changes in configuration.php, then you 
can to access database w/o any authorisation and with 
k-comfortable web-interface ))

http://hostname/mambo/administrator/phpMyAdmin.php 


7) script injecting via `Your name' field

within account register procedure you need to fill out
several fields, such as username, password, etc. 
in `Your name' field you can put any scripting code, 
that will interpreted every time, when some user will
read your articles, news, etc published via mambo site
server. but there is some problem: until admin doesnt 
check the your article, it was not published..


shouts: HACKRU Team, DWC, DHG, Spoofed Packet, HUNGOSH,
all russian security guyz!! to kate especially )) 
fuck_off: slavomira and other dirty ppl in *.kz

================
im not a lame,
not yet a hacker
================