Larry W. Cashdollar
1/2/2012

About Mambo:

"Mambo is a full-featured content management system that can be used for everything from simple websites to complex corporate applications."

1. Clear text password/crypt:

Mambo stores mysql database password in clear text in the documentroot path. (default recommendation is to use root credentials) which is readable by any local user.

Mambo also stores the admin password hash which is readable by any local user.
from documentation:

http://help.mamboserver.com/index.php?option=com_content&task=view&id=41&Itemid=70

- CHMOD configuration.php to 777

Additional Notes on CHMOD [Permissions]

- For additional security return configuration.php to CHMOD 644 after making changes.


2. DoS

An attacker doesn't have to be authenticated to start the process of uploading a file.  The file won't be saved as authentication is required, but memory and bandwidth are consumed.

http://<target ip>/mambots/editors/mostlyce/jscripts/tiny_mce/filemanager/frmupload.html

3. path disclosure

There appears to be broken php scripts installed with the package:

http://<target ip>/mambots/editors/mostlyce/jscripts/tiny_mce/imagemanager/thumbs.php
& editorFrame.php  editor.php  images.php  manager.php are all busted and return

Warning: require(/var/wwwmambots/editors/mostlyce/jscripts/tiny_mce/auth_check.php) [function.require]: failed to open stream: No such file or directory in /var/www/mambots/editors/mostlyce/jscripts/tiny_mce/imagemanager/editorFrame.php on line 4

Fatal error: require() [function.require]: Failed opening required '/var/wwwmambots/editors/mostlyce/jscripts/tiny_mce/auth_check.php' (include_path='.:/usr/share/php:/usr/share/pear') in /var/www/mambots/editors/mostlyce/jscripts/tiny_mce/imagemanager/editorFrame.php on line 4