Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Mambo Open Source 4.0.14 SQL injection

From: Chintan Trivedi <chesschintan () hotmail com>
Date: 10 Dec 2003 17:56:31 -0000



Product
-------
Mambo Open Source 4.0.14


Vendor
------
http://www.mamboserver.com


Details
-------
        Mambo Open Source is the open source Web Content Management System. Mambo Open Source CMS is used by many 
websites including the commercial ones.

The function show() in mambo/articles.php file is like 

function show ($articles, $database, $dbprefix, $artid, $gid, $db) {
        
        $query = "SELECT title, content, author FROM ".$dbprefix."articles, ".$dbprefix."categories WHERE artid=$artid 
AND ".$dbprefix."articles.published=1 AND ".$dbprefix."categories.categoryid=".$dbprefix."articles.catid AND 
".$dbprefix."categories.access <=$gid";
        $result = $database->openConnectionWithReturn($query);

.
.
.
}

There hasn't been any input validation for the variable artid. An attacker can thus insert his own sql query and get 
the administrator md5 pass from mod_users table and use it in cookie to gain admin access to the Mamboo CMS system. 

How do I know whether I am vulnerable ?
--------------------------------------------

http://www.sitewithmambo.com/index.php?option=articles&task=viewarticle&artid=5%20UNION%20somequery

If you get an error message as 

Query failed with error: You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server 
version for the right syntax to use near 'UNION somequery AND mos_articles.published=1 AND mos_categories.  

means you are vulnerable. An attacker can use "/*" to comment rest of the querry. 

------------

Chintan Trivedi - http://www.hackersprogrammers.com
"Eye On Security Research Group India". 

------------
Previous By Date Next
Previous By Thread Next

Current thread: