Signature Detail

HTTP: Mambo Path Inclusion

This signature detects attempts to exploit a known vulnerability against Mambo, an online publishing application. Mambo 4.5.2 and prior versions are vulnerable. Attackers can send a malicious HTTP request to the Mambo Web server to cause arbitrary code execution.

Extended Description

Mambo is prone to a remote file include vulnerability. This issue is due to a failure in the application to properly sanitize user-supplied input. An attacker can exploit this issue to execute arbitrary remote PHP code on an affected computer with the privileges of the Web server process. This may facilitate unauthorized access. Update: Reportedly, this issue is being actively exploited in the wild; multiple Web sites have been defaced, and the issue described in this BID is being cited as the attackers method of entry. Update 12/5/2005 - Reports indicate that a bot is propagating in the wild by exploiting this vulnerability.

Affected Products

• AlstraSoft Template Seller Pro 3.25.0
• Joomla 1.0.0
• Joomla 1.0.1
• Joomla 1.0.2
• Joomla 1.0.3
• Mambo Mambo Site Server 4.0.0
• Mambo Mambo Site Server 4.0.10
• Mambo Mambo Site Server 4.0.11
• Mambo Mambo Site Server 4.0.12
• Mambo Mambo Site Server 4.0.12 BETA
• Mambo Mambo Site Server 4.0.12 BETA 2
• Mambo Mambo Site Server 4.0.12 RC1
• Mambo Mambo Site Server 4.0.12 RC2
• Mambo Mambo Site Server 4.0.12 RC3
• Mambo Mambo Site Server 4.0.14

References

• BugTraq: 15461
• CVE: CVE-2008-2905
• CVE: CVE-2005-3738
• URL: http://www.frsirt.com/exploits/20051122.mambo452_xpl.php.php