| VID |
21624 |
| Severity |
30 |
| Port |
80, ... |
| Protocol |
TCP |
| Class |
CGI |
| Detailed Description |
The Mambo Open Source is vulnerable to an SQL injection vulnerability via the user_rating parameter. Mambo Open Source (formerly Mambo Site Server) is an Internet portal and content management software. Mambo Site Server versions 4.5.2.2 and earlier could allow a remote attacker to execute arbitrary SQL commands, caused by improper filtering of user-supplied input passed to the 'user_rating' parameter of the 'components/com_content/content.php' script. This vulnerability could permit a remote attacker to pass malicious input to database queries, potentially resulting in data exposure, modification of the query logic, or even data modification or attacks against the database itself.
* References:
http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034575.html
http://secunia.com/advisories/15710/
* Platforms Affected:
Miro International Pty Ltd., Mambo Open Source versions 4.5.2.2 and earlier
Any operating system Any version |
| Recommendation |
Upgrade to the latest version of Mambo Open Source (4.5.2.3 or later), available from the MamboForge Web site at http://sourceforge.net/projects/mambo/ |
| Related URL |
CVE-2005-2002 (CVE) |
| Related URL |
13966 (SecurityFocus) |
| Related URL |
21009 (ISS) |
|
