[logo_procheckup.gif] [strapLine.gif] [Search_form_title.gif] __________ [Search_Button_GO.gif]-Submit [spacer.gif] [spacer.gif] [USEMAP:banner3.jpg] [spacer.gif] [spacer.gif] [spacer.gif] [telephoneNumberBig.gif] [spacer.gif] Tuesday 22 November 2005 [spacer.gif] [spacer.gif] [spacer.gif] [home_Pro_address.gif] [home_Pro_address_email.gif] [home_Pro_address_phone.gif] [spacer.gif] [Title_vulner2005.gif] [spacer.gif] PR05-11: Mambo CMS vulnerable to a remote file downloading attack Mambo CMS vulnerable to a remote file downloading attack when installed on a server with a poorly configured PHP installation Date Found: 11th March 2005 Date Public: 9th November 2005 (see notes) Vulnerable: Tested with Mambo 4.5 (1.0.3) running on Windows 2000 and Linux systems. Other versions may be affected, but this has not been verified. Mambo was tested on PHP 4.3.10. Severity: Low Authors: Gemma Hughes [gemma.hughes [at] procheckup.com] CVE Candidate: Not assigned Description: Mambo CMS vulnerable to a remote file downloading attack when installed on a server with a badly configured PHP installation. This could allow malicious attackers to gain access to sensitive information about the server that is hosting the Mambo CMS-managed site. This vulnerability is only exploitable where the magic_quotes_gpc is set to 'Off' in the PHP configuration of the server. It should be noted that this configuration is specifically warned against during the installation of the Mambo CMS, and as such, sites with the configuration allowing this exploit are likely to be uncommon. The exploit functions due to the null character attached to the end of the query string, which prevents further execution of the program after echoing the output of the file to the screen. Information: *** The exploit code for this vulnerability has been withheld until 1st December 2005 in order to allow users to follow the security advice below *** Notes: The risk associated with this vulnerability is low, because the number of servers with a configuration allowing this kind of exploit is likely to be low. In the default php.ini-dist file included in PHP distributions, magic_quotes_gpc is set to On, and this problem will not be encountered. However, for reasons of performance, in the php.ini-recommended file, magic_quotes_gpc is set to Off, and this configuration may be being utilised by many people. This advisory has been published following consultation with UK NISCC Consequences: An attacker could obtain confidential information that may aid a further attack. Fix: Ensure all characters are filtered from all inputs, including the '../' characters that allow directory traversal. Enable magic_quotes_gpc within PHP. The security advice from Mambo is as follows: Anyone running 4.5 (1.0.x) should certainly upgrade to 4.5 (1.0.9 plus security fix) immediately. Or make an immediate jump to 4.5.2.3 (the current release). Anyone running 4.5 (1.0.9 plus security fix) may wish to upgrade to 4.5.2.3 in order to run the latest plugins and to have the latest stable version. Anyone running 4.5.1 or above is advised to move to 4.5.2.3 or to install 4.5.3 when it is released Legal: Copyright 2005 ProCheckUp Ltd. All rights reserved. Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if the Bulletin is not changed or edited in any way, is attributed to ProCheckUp, and provided such reproduction and/or distribution is performed for non-commercial purposes. Any other use of this information is prohibited. ProCheckUp is not liable for any misuse of this information by any third party. [spacer.gif] [spacer.gif] [infobox_usersexp_red2.gif] [infobox_sample_amber.gif] [infobox_press_green.gif] [spacer.gif] Site Map [spacer.gif] Privacy Policy [spacer.gif] [spacer.gif] Terms and Conditions [footer_corner_botLeft.gif] [spacer.gif] [footer_corner_botRight.gif] [spacer.gif] © ProCheckUp Ltd 2005