Vulnerabilities > CVE-2004-1825 - Unspecified vulnerability in Mambo Open Source 4.51.0.0/4.51.0.1

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
mambo
nessus
exploit available

Summary

Cross-site scripting (XSS) vulnerability in index.php in Mambo Open Source 4.5 stable 1.0.3 and earlier allows remote attackers to inject arbitrary web script or HTML via the (1) return or (2) mos_change_template parameters.

Vulnerable Configurations

Part Description Count
Application
Mambo
2

Exploit-Db

descriptionMambo Open Source 4.5 index.php Multiple Parameter XSS. CVE-2004-1825. Webapps exploit for php platform
idEDB-ID:23824
last seen2016-02-02
modified2004-03-16
published2004-03-16
reporterJeiAr
sourcehttps://www.exploit-db.com/download/23824/
titleMambo Open Source 4.5 index.php Multiple Parameter XSS

Nessus

NASL familyCGI abuses : XSS
NASL idMAMBO_XSS3.NASL
descriptionAn attacker may use the installed version of Mambo Site Server to perform a cross-site scripting attack on this host because of its failure to sanitize input to the
last seen2020-06-01
modified2020-06-02
plugin id16316
published2005-02-07
reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/16316
titleMambo Site Server mos_change_template XSS
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(16316);
 script_version("1.20");
 script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12");

 script_cve_id("CVE-2004-1825");
 script_bugtraq_id(9890);

 script_name(english:"Mambo Site Server mos_change_template XSS");
 script_set_attribute(attribute:"synopsis", value:
"The remote web server contains a PHP script that is prone to cross-
site scripting attacks." );
 script_set_attribute(attribute:"description", value:
"An attacker may use the installed version of Mambo Site Server to
perform a cross-site scripting attack on this host because of its
failure to sanitize input to the 'return' and 'mos_change_template'
parameters of the 'index.php' script." );
 script_set_attribute(attribute:"see_also", value:"http://www.gulftech.org/?node=research&article_id=00032-03152004" );
 script_set_attribute(attribute:"see_also", value:"https://seclists.org/bugtraq/2004/Mar/147" );
 script_set_attribute(attribute:"solution", value:
"Upgrade at least to version 4.5 (1.0.4)." );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N");
 script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(20, 74, 79, 442, 629, 711, 712, 722, 725, 750, 751, 800, 801, 809, 811, 864, 900, 928, 931, 990);

 script_set_attribute(attribute:"plugin_publication_date", value: "2005/02/07");
 script_set_attribute(attribute:"vuln_publication_date", value: "2004/03/16");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_summary(english:"Determine if Mambo Site Server is vulnerable to xss attack");
 script_category(ACT_GATHER_INFO);
 script_family(english:"CGI abuses : XSS");
 script_copyright(english:"This script is Copyright (C) 2005-2020 Tenable Network Security, Inc.");
 script_dependencies("mambo_detect.nasl", "cross_site_scripting.nasl");
 script_exclude_keys("Settings/disable_cgi_scanning");
 script_require_ports("Services/www", 80);
 script_require_keys("www/mambo_mos");
 exit(0);
}

include("global_settings.inc");
include("http_func.inc");
include("http_keepalive.inc");

port = get_http_port(default:80, embedded:TRUE);
if(!get_port_state(port))exit(0);
if(get_kb_item(string("www/", port, "/generic_xss"))) exit(0);
if(!can_host_php(port:port)) exit(0);


# Test an install.
install = get_kb_item(string("www/", port, "/mambo_mos"));
if (isnull(install)) exit(0);
matches = eregmatch(string:install, pattern:"^(.+) under (/.*)$");
if (!isnull(matches)) {
 dir = matches[2];

 url = string(dir, "/index.php?mos_change_template=<script>foo</script>");
 req = http_get(item:url, port:port);
 buf = http_keepalive_send_recv(port:port, data:req, bodyonly:1);
 if( buf == NULL ) exit(0);
 
 if ( '<form action="/index.php?mos_change_template=<script>foo</script>' >< buf )
 {
    security_warning(port);
    set_kb_item(name: 'www/'+port+'/XSS', value: TRUE);
 }
}