Page 1 of 1

Mambo Remote Password Hash Retrieval

Posted: Thu Aug 25, 2005 2:32 pm
by conor
I apologize if this has been discussed before, but I ran across this today and am looking for more information on it.  Any help would be appreciated.
The following exploit code will retrieve the administrative password of the Mambo product by exploiting an SQL injection vulnerability in the product.

Details
Vulnerable Systems:
* Mambo version 4.5.2.1 with MySQL version 4.x

Exploit:

Mambo 4.5.2.1 + mysql 4.1 > fetch password hash by pokleyzz
*content rating using sub query to select from mos_users

Requirement:

PHP 4.x with curl extension

Description:

The problem occur because $user_rating variable is not properly sanitize when for use in SQL query
for UPDATE statement.
http://www.securiteam.com/exploits/5BP0F2KG0G.html

Thanks,

Conor

Re: Mambo Remote Password Hash Retrieval

Posted: Thu Aug 25, 2005 3:09 pm
by Chris Davenport
I believe this was fixed in Mambo 4.5.2.3.

Regards,
Chris.

Re: Mambo Remote Password Hash Retrieval

Posted: Thu Aug 25, 2005 3:17 pm
by Nic
I would very much like to know what Mambo file(s) have to be updated to eliminate this exploit.

I have two Mambo installations which are still 4.5.2.1 and for several reasons I can't update them completely to 4.5.2.3. But if this could be fixed by just updating one or maybe more files I really would like to do it!

Re: Mambo Remote Password Hash Retrieval

Posted: Thu Aug 25, 2005 3:25 pm
by conor
Chris Davenport wrote: I believe this was fixed in Mambo 4.5.2.3.
Thanks Chris.  I appreciate the quick response.

Conor

Re: Mambo Remote Password Hash Retrieval

Posted: Sun Aug 28, 2005 1:26 am
by Nic
Yakomo wrote: I would very much like to know what Mambo file(s) have to be updated to eliminate this exploit.

I have two Mambo installations which are still 4.5.2.1 and for several reasons I can't update them completely to 4.5.2.3. But if this could be fixed by just updating one or maybe more files I really would like to do it!
Anyone?

Re: Mambo Remote Password Hash Retrieval

Posted: Mon Aug 29, 2005 1:02 pm
by conor
I'm still a mambo newbie myself, but if no one responds to this post, you should be able to go through the changelogs and find the changes.  A tedious process for sure, but should work...

Conor

Re: Mambo Remote Password Hash Retrieval

Posted: Thu Sep 01, 2005 4:49 am
by masterchief
Yes, this exploit was fixed in 4.5.2.3

The patch file is available here:
http://www.opensourcematters.org/index. ... &Itemid=30

It's a cummulative patch so it will upgrade 4.5.2.0|.1|.2 or 4.5.2.3

Hope this helps.

Re: Mambo Remote Password Hash Retrieval

Posted: Thu Sep 01, 2005 10:07 am
by Nic
masterchief wrote: Yes, this exploit was fixed in 4.5.2.3

The patch file is available here:
http://www.opensourcematters.org/index. ... &Itemid=30

It's a cummulative patch so it will upgrade 4.5.2.0|.1|.2 or 4.5.2.3

Hope this helps.
I have two sites which are still 4.5.2.1 and for several reasons I can not apply the whole patch to them. Is there a way to JUST fix this exploit and not apply the whole patch by f.ex. overwriting/updating only one file?

Re: Mambo Remote Password Hash Retrieval

Posted: Thu Sep 01, 2005 11:49 am
by masterchief
Yakomo wrote:Is there a way to JUST fix this exploit and not apply the whole patch by f.ex. overwriting/updating only one file?
Yes.  You could install the patch in a local temp folder and then using a diff program (on Windows, Beyond Compare, see http://www.scootersoftware.com) to compare the patch with the files on your site via ftp.  But there are multiple exploits in multiple files...so the easiest thing is just to backup file system and database, then ftp the files over the top of the existing ones.