Mambo Remote Password Hash Retrieval

Discussion regarding Joomla! security issues.

Moderator: General Support Moderators

Forum rules
Forum Rules
Absolute Beginner's Guide to Joomla! <-- please read before posting, this means YOU.
Security Checklist
Forum Post Assistant - If you are serious about wanting help, you will use this tool to help you post.
conor
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Thu Aug 18, 2005 6:57 pm
Location: Chicago Suburbs, Illinois, USA
Contact:

Mambo Remote Password Hash Retrieval

Postby conor » Thu Aug 25, 2005 2:32 pm

I apologize if this has been discussed before, but I ran across this today and am looking for more information on it.  Any help would be appreciated.

The following exploit code will retrieve the administrative password of the Mambo product by exploiting an SQL injection vulnerability in the product.

Details
Vulnerable Systems:
* Mambo version 4.5.2.1 with MySQL version 4.x

Exploit:

Mambo 4.5.2.1 + mysql 4.1 > fetch password hash by pokleyzz
*content rating using sub query to select from mos_users

Requirement:

PHP 4.x with curl extension

Description:

The problem occur because $user_rating variable is not properly sanitize when for use in SQL query
for UPDATE statement.


http://www.securiteam.com/exploits/5BP0F2KG0G.html

Thanks,

Conor

User avatar
Chris Davenport
Joomla! Ace
Joomla! Ace
Posts: 1383
Joined: Thu Aug 18, 2005 8:57 am
Location: Shrewsbury, Shropshire, United Kingdom

Re: Mambo Remote Password Hash Retrieval

Postby Chris Davenport » Thu Aug 25, 2005 3:09 pm

I believe this was fixed in Mambo 4.5.2.3.

Regards,
Chris.
Chris Davenport - Joomla Production Leadership Team

Lion Coppice http://www.lioncoppice.org/
Davenport Technology Services http://www.davenporttechnology.com/

User avatar
Nic
Joomla! Guru
Joomla! Guru
Posts: 618
Joined: Fri Aug 19, 2005 3:36 pm
Contact:

Re: Mambo Remote Password Hash Retrieval

Postby Nic » Thu Aug 25, 2005 3:17 pm

I would very much like to know what Mambo file(s) have to be updated to eliminate this exploit.

I have two Mambo installations which are still 4.5.2.1 and for several reasons I can't update them completely to 4.5.2.3. But if this could be fixed by just updating one or maybe more files I really would like to do it!

conor
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Thu Aug 18, 2005 6:57 pm
Location: Chicago Suburbs, Illinois, USA
Contact:

Re: Mambo Remote Password Hash Retrieval

Postby conor » Thu Aug 25, 2005 3:25 pm

Chris Davenport wrote:I believe this was fixed in Mambo 4.5.2.3.


Thanks Chris.  I appreciate the quick response.

Conor

User avatar
Nic
Joomla! Guru
Joomla! Guru
Posts: 618
Joined: Fri Aug 19, 2005 3:36 pm
Contact:

Re: Mambo Remote Password Hash Retrieval

Postby Nic » Sun Aug 28, 2005 1:26 am

Yakomo wrote:I would very much like to know what Mambo file(s) have to be updated to eliminate this exploit.

I have two Mambo installations which are still 4.5.2.1 and for several reasons I can't update them completely to 4.5.2.3. But if this could be fixed by just updating one or maybe more files I really would like to do it!


Anyone?

conor
Joomla! Apprentice
Joomla! Apprentice
Posts: 26
Joined: Thu Aug 18, 2005 6:57 pm
Location: Chicago Suburbs, Illinois, USA
Contact:

Re: Mambo Remote Password Hash Retrieval

Postby conor » Mon Aug 29, 2005 1:02 pm

I'm still a mambo newbie myself, but if no one responds to this post, you should be able to go through the changelogs and find the changes.  A tedious process for sure, but should work...

Conor

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2316
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: Mambo Remote Password Hash Retrieval

Postby masterchief » Thu Sep 01, 2005 4:49 am

Yes, this exploit was fixed in 4.5.2.3

The patch file is available here:
http://www.opensourcematters.org/index. ... &Itemid=30

It's a cummulative patch so it will upgrade 4.5.2.0|.1|.2 or 4.5.2.3

Hope this helps.
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.

User avatar
Nic
Joomla! Guru
Joomla! Guru
Posts: 618
Joined: Fri Aug 19, 2005 3:36 pm
Contact:

Re: Mambo Remote Password Hash Retrieval

Postby Nic » Thu Sep 01, 2005 10:07 am

masterchief wrote:Yes, this exploit was fixed in 4.5.2.3

The patch file is available here:
http://www.opensourcematters.org/index. ... &Itemid=30

It's a cummulative patch so it will upgrade 4.5.2.0|.1|.2 or 4.5.2.3

Hope this helps.


I have two sites which are still 4.5.2.1 and for several reasons I can not apply the whole patch to them. Is there a way to JUST fix this exploit and not apply the whole patch by f.ex. overwriting/updating only one file?

User avatar
masterchief
Joomla! Hero
Joomla! Hero
Posts: 2316
Joined: Fri Aug 12, 2005 2:45 am
Location: Brisbane, Australia
Contact:

Re: Mambo Remote Password Hash Retrieval

Postby masterchief » Thu Sep 01, 2005 11:49 am

Yakomo wrote:Is there a way to JUST fix this exploit and not apply the whole patch by f.ex. overwriting/updating only one file?
Yes.  You could install the patch in a local temp folder and then using a diff program (on Windows, Beyond Compare, see http://www.scootersoftware.com) to compare the patch with the files on your site via ftp.  But there are multiple exploits in multiple files...so the easiest thing is just to backup file system and database, then ftp the files over the top of the existing ones.
Andrew Eddie - Tweet @AndrewEddie
<><
http://eddify.me
http://www.kiva.org/team/joomla - Got Joomla for free? Pay it forward and help fight poverty.


Return to “Security - 1.0.x”

Who is online

Users browsing this forum: Google Feedfetcher and 4 guests