mambo -- multiple SQL injection vulnerabilities

Description:

James Bercegay reports:

Mambo is vulnerable to an Authentication Bypass issue that is due to an SQL Injection in the login function. The SQL Injection is possible because the $passwd variable is only sanitized when it is not passed as an argument to the function.

Omid reports:

There are several sql injections in Mambo 4.6 RC2 & Joomla 1.0.10 (and maybe other versions):

When a user edits a content, the "id" parameter is not checked properly in /components/com_content/content.php, which can cause 2 sql injections.

The "limit" parameter in the administration section is not checked. This affects many pages of administration section

In the administration section, while editing/creating a user, the "gid" parameter is not checked properly.

References:

BugTraq ID 19719
BugTraq ID 19734
URL: <http://www.gulftech.org/?node=research&article_id=00116-10042006>
URL: <http://seclists.org/bugtraq/2006/Aug/0491.html>
URL: <http://www.frsirt.com/english/advisories/2006/3918>
URL: <http://mamboxchange.com/forum/forum.php?forum_id=7704>
URL: <http://secunia.com/advisories/21644/>
URL: <http://secunia.com/advisories/22221/>

Affects:

mambo >=0

portaudit: mambo -- multiple SQL injection vulnerabilities

Disclaimer: The data contained on this page is derived from the VuXML document, please refer to the the original document for copyright information. The author of portaudit makes no claim of authorship or ownership of any of the information contained herein.

If you have found a vulnerability in a FreeBSD port not listed in the database, please contact the FreeBSD Security Officer. Refer to "FreeBSD Security Information" for more information.

Oliver Eikemeier <eik@FreeBSD.org>