Mambo CMS Security Advisory – SQL Injection

Posted on August 18, 2011 by Steve

Application : Mambo CMS
Versions Affected: 4.6.5 and Lower
Exploit : SQL Injection
Easy of use: Moderate
Threat Level : Low
Fix: Use another CMS in active development
ZeroDay : No
Credit: Aung Khant, http://yehg.net, YGN Ethical Hacker Group, Myanmar
External Website: http://mambo-developer.org

What does it mean, do I have to do anything, if so what?

An input parameter called zorder isn’t properly scrutinised and is therefore subject to a SQL injection. SQL injections can be crafted to extract data and potentially run commands on your server. So even if you’re not storing sensitive information you will be putting your server at risk.  If you are running Mambo, you need to scrap it and use a CMS that is being actively developed and supported.

What happens if I leave it?

Your server will be hacked.

If you need further information on securing your server call us.

Post to Digg Digg This Post Post to Reddit Post to Reddit Post to StumbleUpon Stumble This Post Post to Technorati Post to Technorati

This entry was posted in Web Security. Bookmark the permalink.

Comments are closed.