Mambo Remote Password Hash Retrieval

conor · Post by **conor** » Thu Aug 25, 2005 2:32 pm

I apologize if this has been discussed before, but I ran across this today and am looking for more information on it. Any help would be appreciated.

The following exploit code will retrieve the administrative password of the Mambo product by exploiting an SQL injection vulnerability in the product.

Details
Vulnerable Systems:
* Mambo version 4.5.2.1 with MySQL version 4.x

Exploit:

Mambo 4.5.2.1 + mysql 4.1 > fetch password hash by pokleyzz
*content rating using sub query to select from mos_users

Requirement:

PHP 4.x with curl extension

Description:

The problem occur because $user_rating variable is not properly sanitize when for use in SQL query
for UPDATE statement.

http://www.securiteam.com/exploits/5BP0F2KG0G.html

Thanks,

Conor

Chris Davenport · Post by **Chris Davenport** » Thu Aug 25, 2005 3:09 pm

I believe this was fixed in Mambo 4.5.2.3.

Regards,
Chris.

Nic · Post by **Nic** » Thu Aug 25, 2005 3:17 pm

I would very much like to know what Mambo file(s) have to be updated to eliminate this exploit.

I have two Mambo installations which are still 4.5.2.1 and for several reasons I can't update them completely to 4.5.2.3. But if this could be fixed by just updating one or maybe more files I really would like to do it!

conor · Post by **conor** » Thu Aug 25, 2005 3:25 pm

Chris Davenport wrote: I believe this was fixed in Mambo 4.5.2.3.

Thanks Chris. I appreciate the quick response.

Conor

Nic · Post by **Nic** » Sun Aug 28, 2005 1:26 am

Yakomo wrote: I would very much like to know what Mambo file(s) have to be updated to eliminate this exploit.

I have two Mambo installations which are still 4.5.2.1 and for several reasons I can't update them completely to 4.5.2.3. But if this could be fixed by just updating one or maybe more files I really would like to do it!

Anyone?

conor · Post by **conor** » Mon Aug 29, 2005 1:02 pm

I'm still a mambo newbie myself, but if no one responds to this post, you should be able to go through the changelogs and find the changes. A tedious process for sure, but should work...

Conor

masterchief · Post by **masterchief** » Thu Sep 01, 2005 4:49 am

Yes, this exploit was fixed in 4.5.2.3

The patch file is available here:
http://www.opensourcematters.org/index. ... &Itemid=30

It's a cummulative patch so it will upgrade 4.5.2.0|.1|.2 or 4.5.2.3

Hope this helps.

Nic · Post by **Nic** » Thu Sep 01, 2005 10:07 am

masterchief wrote: Yes, this exploit was fixed in 4.5.2.3

The patch file is available here:
http://www.opensourcematters.org/index. ... &Itemid=30

It's a cummulative patch so it will upgrade 4.5.2.0|.1|.2 or 4.5.2.3

Hope this helps.

I have two sites which are still 4.5.2.1 and for several reasons I can not apply the whole patch to them. Is there a way to JUST fix this exploit and not apply the whole patch by f.ex. overwriting/updating only one file?

masterchief · Post by **masterchief** » Thu Sep 01, 2005 11:49 am

Yakomo wrote:Is there a way to JUST fix this exploit and not apply the whole patch by f.ex. overwriting/updating only one file?

Yes. You could install the patch in a local temp folder and then using a diff program (on Windows, Beyond Compare, see http://www.scootersoftware.com) to compare the patch with the files on your site via ftp. But there are multiple exploits in multiple files...so the easiest thing is just to backup file system and database, then ftp the files over the top of the existing ones.

The Joomla! Forum™

Mambo Remote Password Hash Retrieval

Mambo Remote Password Hash Retrieval

Re: Mambo Remote Password Hash Retrieval

Re: Mambo Remote Password Hash Retrieval

Re: Mambo Remote Password Hash Retrieval

Re: Mambo Remote Password Hash Retrieval

Re: Mambo Remote Password Hash Retrieval

Re: Mambo Remote Password Hash Retrieval

Re: Mambo Remote Password Hash Retrieval

Re: Mambo Remote Password Hash Retrieval