Multiple unpatched vulnerabilities in open source CMS Mambo
SecurityFocus has on Monday reported vulnerabilities in the open source content management system Mambo, which could be exploited by attackers to view confidential information or compromise a system. Four flaws have been found, and as yet no fix has been issued.
mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php script fails to correctly filter the content of the
file[NewFile][tmp_name] parameter, so that crafted arguments can be used to delete files such as
configuration.php on the server. If the administrator has not deleted or renamed the Mambo installation directory, it is even possible to load a remote database by uploading a manipulated configuration file. Attackers could then load arbitrary content into the CMS. For the attack to succeed, the image manager must, however, be located in the web server's root directory.
In addition, there is a cross-site scripting (XSS) and a cross-site request forgery vulnerability (CSRF) in the
The report also reports a further vulnerability that can be used to determine the installation path, which is useful to attackers for carrying out further attacks. The bugs were found in version 4.6.3 - previous versions are probably also vulnerable. An official update is not yet available. Restricting access to the connector script using
.htaccess may provide some relief. Four security vulnerabilities in the Mambo server have already been fixed in late January.
- Mambo 4.6.3 Path Disclosure, XSS , XSRF, DOS, security advisory on Bugtraq