[33120] in bugtraq
Mambo OS v4.5/v4.6: remote command execution
daemon@ATHENA.MIT.EDU (FraMe)
Mon Jan 19 14:21:52 2004
Message-ID: <000901c3dde9$80d11390$0202a8c0@angie>
From: "FraMe" <frame@hispalab.com>
To: <bugtraq@securityfocus.com>
Date: Sun, 18 Jan 2004 18:21:15 +0100
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Product: Mambo Open Source v4.5
Mambo Open Source v4.6 (CVS)
Vendor: Miro International Pty Ltd.
Author: FraMe ( frame at kernelpanik.org )
URL: http://www.kernelpanik.org
CONTENTS
1. Overview
2. Description.
3. Details
4. Patches.
1. Overview.
Mambo Open Source is an, open source, modular, web content management
system (CMS), written in Php with a MySql database in backend.
More info: http://www.mamboserver.com
2. Description.
Mambo OS allow remote command execution in ./modules/mod_mainmenu.php
Anybody can inject a url in $mosConfig_absolute_path and obtain command
execution
with web server privileges ( usually nobody ).
3. Details.
Mambo OS v4.5 and v4.6
from ./modules/mod_mainmenu.php:
================================
<?php
(..)
// $module is defined in the calling function
// $params is defined in the calling function
require_once( "$mosConfig_absolute_path/modules/mod_mainmenu.class.php" );
(..)
?>
4. Patches
a) Php globals off (Default in Php > 4.2)
b) Unofficial patch for mod_mainmenu.php can be downloaded from:
http://www.kernelpanik.org/code/kernelpanik/mambo.zip
==============================
[ FraMe - frame at kernelpanik.org ]
[ URL - http://frame.lifefromthenet.com ]
[ Kernelpanik - http://www.kernelpanik.org ]
[ PGP KeyID - 0xFA81AC9C ]
==============================
