Multiple unpatched vulnerabilities in open source CMS Mambo
SecurityFocus has on Monday reported vulnerabilities in the open source content management system Mambo, which could be exploited by attackers to view confidential information or compromise a system. Four flaws have been found, and as yet no fix has been issued.
The mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php
script fails to correctly filter the content of the file[NewFile][tmp_name]
parameter, so that crafted arguments can be used to delete files such as configuration.php
on the server. If the administrator has not deleted or renamed the Mambo installation directory, it is even possible to load a remote database by uploading a manipulated configuration file. Attackers could then load arbitrary content into the CMS. For the attack to succeed, the image manager must, however, be located in the web server's root directory.
In addition, there is a cross-site scripting (XSS) and a cross-site request forgery vulnerability (CSRF) in the connector.php
script, which can be exploited by an attacker to execute JavaScript in a user's browser with the Mambo server's privileges. The CRSF vulnerability can be used, for example, to add an administrator account if the original administrator is logged into the Mambo server and visits a crafted website in another browser window. A similar vulnerability in Mambo fork Joomla was fixed two weeks ago.
The report also reports a further vulnerability that can be used to determine the installation path, which is useful to attackers for carrying out further attacks. The bugs were found in version 4.6.3 - previous versions are probably also vulnerable. An official update is not yet available. Restricting access to the connector script using .htaccess
may provide some relief. Four security vulnerabilities in the Mambo server have already been fixed in late January.
- Mambo 4.6.3 Path Disclosure, XSS , XSRF, DOS, security advisory on Bugtraq
(ehe)