Info

Disclosure

Sep 18, 2004

Discovery

Unknown

Dates

Exploit

Sep 18, 2004

Solution

Unknown

Description

Mambo contains a flaw that may allow a remote attacker to execute arbitrary commands. The problem is that the function.php script does not validate the mosConfig_absolute_path variable which can be changed to include and execute code from a remote location. It is possible that the flaw may allow a remote attacker to execute arbitrary commands resulting in a loss of integrity.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Public
OSVDB: Web Related

Solution

Upgrade to version 4.5.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

Products

Miro International Pty Ltd.	Mambo	4.5
		4.5.1

References

Security Tracker: 1011365
Related OSVDB ID: 10179
Bugtraq ID: 11220
ISS X-Force ID: 17449
CVE ID: 2004-1693 (see also: NVD)
Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2004-09/0245.html
Vendor URL: http://mamboserver.com/

Credit

Joxean Koret - joxeankoretyahoo.es -

Direct URL: http://osvdb.org/10180

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

Miro International Pty Ltd.

Mambo

References

Credit