| VID |
210001 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Mambo Open Source is vulnerable to an SQL injection vulnerability via the 'usercookie' parameter in the 'index.php' script. Mambo Open Source (formerly Mambo Site Server) is an Internet portal and content management software. Mambo Open Source version 4.5.4 SP2 and earlier versions and version 4.6 and earlier versions are vulnerable to a SQL injection vulnerability, caused by improper filtering of user-supplied input passed to the 'usercookie[password]' parameter of the 'index.php' script. If the 'magic_quotes_gpc' option is disabled, this vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://www.frsirt.com/english/advisories/2006/3918
http://www.gulftech.org/?node=research&article_id=00116-10042006
http://secunia.com/advisories/22221/
* Platforms Affected:
Miro International Pty Ltd., Mambo Open Source version 4.5.4 SP2 and earlier versions
Miro International Pty Ltd., Mambo Open Source version 4.6 and earlier versions
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Mambo Open Source (4.5.4 SP3 or later, or 4.6.1 or later), available from the Mambo Open Source Web site at http://www.mamboserver.com/ |
| Related URL |
CVE-2006-7092 (CVE) |
| Related URL |
20366 (SecurityFocus) |
| Related URL |
29359 (ISS) |
|
