30 January 2008, 11:48

Multiple unpatched vulnerabilities in open source CMS Mambo

SecurityFocus has on Monday reported vulnerabilities in the open source content management system Mambo, which could be exploited by attackers to view confidential information or compromise a system. Four flaws have been found, and as yet no fix has been issued.

The mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/connectors/php/connector.php script fails to correctly filter the content of the file[NewFile][tmp_name] parameter, so that crafted arguments can be used to delete files such as configuration.php on the server. If the administrator has not deleted or renamed the Mambo installation directory, it is even possible to load a remote database by uploading a manipulated configuration file. Attackers could then load arbitrary content into the CMS. For the attack to succeed, the image manager must, however, be located in the web server's root directory.

In addition, there is a cross-site scripting (XSS) and a cross-site request forgery vulnerability (CSRF) in the connector.php script, which can be exploited by an attacker to execute JavaScript in a user's browser with the Mambo server's privileges. The CRSF vulnerability can be used, for example, to add an administrator account if the original administrator is logged into the Mambo server and visits a crafted website in another browser window. A similar vulnerability in Mambo fork Joomla was fixed two weeks ago.

The report also reports a further vulnerability that can be used to determine the installation path, which is useful to attackers for carrying out further attacks. The bugs were found in version 4.6.3 - previous versions are probably also vulnerable. An official update is not yet available. Restricting access to the connector script using .htaccess may provide some relief. Four security vulnerabilities in the Mambo server have already been fixed in late January.