Vulnerability CVE-2006-1794

Vulnerability Name:

CVE-2006-1794 (CCN-24870)

Assigned:

2006-02-22

Published:

2006-02-22

Updated:

2017-07-20

Summary:

SQL injection vulnerability in Mambo 4.5.3, 4.5.3h, and possibly earlier versions allows remote attackers to execute arbitrary SQL commands via (1) the $username variable in the mosGetParam function and (2) the $task parameter in the mosMenuCheck function in (a) includes/mambo.php; and (3) the $filter variable to the showCategory function in the com_content component (content.php).
Successful exploitation requires that "magic_quotes_gpc" is disabled.

CVSS v3 Severity:

6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

7.6 High (CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)
5.6 Medium (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Authentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

6.4 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N)
4.7 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Athentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

Vulnerability Type:

CWE-Other

Vulnerability Consequences:

Gain Access

References:

Source: BUGTRAQ
Type: Exploit, Patch, Vendor Advisory
20060224 Mambo Multiple Vulnerabilities

Source: MITRE
Type: CNA
CVE-2006-0871

Source: MITRE
Type: CNA
CVE-2006-1794

Source: CCN
Type: SA18935
Mambo SQL Injection and File Inclusion Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
18935

Source: CCN
Type: Mambo Foundation Web site
Security Updates

Source: CONFIRM
Type: Patch
http://source.mambo-foundation.org/view/news/Announcements/Security_Patch_Released/

Source: MISC
Type: Exploit, Patch
http://www.gulftech.org/?node=research&article_id=00104-02242006

Source: OSVDB
Type: UNKNOWN
23402

Source: OSVDB
Type: UNKNOWN
23503

Source: CCN
Type: OSVDB ID: 23402
Mambo content.php 'filter' Parameter SQL Injection

Source: CCN
Type: OSVDB ID: 23503
Mambo mambo.php Multiple Parameter SQL Injection

Source: CCN
Type: OSVDB ID: 23505
Mambo mambo.php 'mos_change_template' Parameter Local File Inclusion

Source: BID
Type: Exploit, Patch
16775

Source: CCN
Type: BID-16775
Mambo Open Source Multiple SQL Injection Vulnerabilities

Source: VUPEN
Type: UNKNOWN
ADV-2006-0719

Source: XF
Type: UNKNOWN
mambo-mambo-sql-injection(24870)

Source: XF
Type: UNKNOWN
mambo-index2-sql-injection(24951)

Vulnerable Configuration:

Configuration 1:

cpe:/a:mambo:mambo:4.0.14:*:*:*:*:*:*:*

OR cpe:/a:mambo:mambo:4.5.1_1.0.9:*:*:*:*:*:*:*

OR cpe:/a:mambo:mambo:4.5.1a:*:*:*:*:*:*:*

OR cpe:/a:mambo:mambo:4.5.1a:beta:*:*:*:*:*:*

OR cpe:/a:mambo:mambo:4.5.1a:beta_2:*:*:*:*:*:*

OR cpe:/a:mambo:mambo:4.5.2:*:*:*:*:*:*:*

OR cpe:/a:mambo:mambo:4.5.2.1:*:*:*:*:*:*:*

OR cpe:/a:mambo:mambo:4.5.2.2:*:*:*:*:*:*:*

OR cpe:/a:mambo:mambo:4.5.2.3:*:*:*:*:*:*:*

OR cpe:/a:mambo:mambo:4.5.3h:*:*:*:*:*:*:*

OR cpe:/a:mambo:mambo:*:h:*:*:*:*:*:* (Version <= 4.5.3h)

OR cpe:/a:mambo:mambo:4.5_1.0.0:*:*:*:*:*:*:*

OR cpe:/a:mambo:mambo:4.5_1.0.1:*:*:*:*:*:*:*

OR cpe:/a:mambo:mambo:4.5_1.0.2:*:*:*:*:*:*:*

OR cpe:/a:mambo:mambo:4.5_1.0.3_beta:*:*:*:*:*:*:*

OR cpe:/a:mambo:mambo:4.5_1.0.3_beta:beta:*:*:*:*:*:*

Denotes that component is vulnerable

Vulnerability Name:

CVE-2006-1794 (CCN-24951)

Assigned:

2006-02-24

Published:

2006-02-24

Updated:

2006-02-24

Summary:

Mambo is vulnerable to SQL injection. If magic_quotes_gpc is disabled, a remote attacker could send specially-crafted SQL statements to the index2.php script using the task parameter or to the com_content component using the filter parameter, which could allow the attacker to add, modify, delete information in the back-end database, or login as the administrator to install and execute arbitrary modules.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.6 High (CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)
6.6 Medium (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Authentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
6.5 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:H/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Athentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

Vulnerability Consequences:

Data Manipulation

References:

Source: CCN
Type: BugTraq Mailing List, Fri Feb 24 2006 - 10:39:51 CST
Mambo Multiple Vulnerabilities

Source: MITRE
Type: CNA
CVE-2006-1794

Source: CCN
Type: SA18935
Mambo SQL Injection and File Inclusion Vulnerabilities

Source: CCN
Type: Mambo Foundation Web site
Security Updates

Source: CCN
Type: OSVDB ID: 23402
Mambo content.php 'filter' Parameter SQL Injection

Source: CCN
Type: OSVDB ID: 23503
Mambo mambo.php Multiple Parameter SQL Injection

Source: CCN
Type: BID-16775
Mambo Open Source Multiple SQL Injection Vulnerabilities

Source: XF
Type: UNKNOWN
mambo-index2-sql-injection(24951)

Vulnerable Configuration:

Configuration CCN 1:

cpe:/a:mambo:mambo:4.5.3h:*:*:*:*:*:*:*

Denotes that component is vulnerable

Vulnerability Name:

CVE-2006-1794 (CCN-24952)

Assigned:

2006-02-22

Published:

2006-02-22

Updated:

2006-02-22

Summary:

Mambo could allow a remote attacker to include malicious PHP files. A remote attacker could send a specially-crafted URL request to the _setTemplate() function using the imos_change_template parameter to specify a malicious PHP file from a remote system, which would allow the attacker to execute arbitrary code on the vulnerable system.

CVSS v3 Severity:

7.3 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): Low Integrity (I): Low Availibility (A): Low

CVSS v2 Severity:

7.6 High (CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C)
5.8 Medium (Temporal CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:C/A:C/E:U/RL:TF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Authentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

7.5 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P)
5.7 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:U/RL:TF/RC:C)

Exploitability Metrics:	Access Vector (AV): Access Complexity (AC): Athentication (Au):
Impact Metrics:	Confidentiality (C): Integrity (I): Availibility (A):

Vulnerability Consequences:

Gain Access

References:

Vulnerable Configuration:

Configuration CCN 1:

cpe:/a:mambo:mambo:4.5.3h:*:*:*:*:*:*:*

Denotes that component is vulnerable

BACK