Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Web :: Servers :: mambo1.htm

Mambo Site Server version 3.0.X admin privileges

    Mambo Site Server


    Mambo Site Server version 3.0.X


    Ismael Peinado  Palomo found  following.   Mambo Site  Server is a
    dynamic portal  engine and  content management  tool based  on PHP
    and MySQL.  Any user can gain administrator privileges.

    Under 'administrator/'  dir. we  found that  index.php checks  the
    user and password:

        if (isset($submit)){
          $query  = "SELECT id, password, name FROM users WHERE username='$myname' AND (usertype='administrator' OR usertype='superadministrator')";
          $result = $database->openConnectionWithReturn($query);
          if (mysql_num_rows($result)!= 0){
           list($userid, $dbpass, $fullname) = mysql_fetch_array($result);
           if (strcmp($dbpass,$pass)) {
            //if the password entered does not match the database record ask user to login again
            print "<SCRIPT>alert('Incorrect Username and Password, please try again'); document.location.href='index.php';</SCRIPT>\n";
           }else {
            //if the password matches the database
            if ($remember!="on"){
             //if the user does not want the password remembered and the cookie is set, delete the cookie
             if ($passwordcookie!=""){
            //set up the admin session then take the user into the admin section of the site
            print "<SCRIPT>'index2.php','newwindow');</SCRIPT>\n";
            print "<SCRIPT>document.location.href='$live_site'</SCRIPT>\n";
          }else {
           print "<SCRIPT>alert('Incorrect Username and Password, please try again'); document.location.href='index.php';</SCRIPT>\n";

    As we can  see if the  password for administrator  matches the one
    in the database, some variables are registered in the session  and
    we  are  redirected  to  lets  take  a  look   at

        if (!$PHPSESSID){
         print "<SCRIPT>document.location.href='index.php'</SCRIPT>\n";
        else {
         if (!$myname) session_register("myname");
         if (!$fullname) session_register("fullname");
         if (!$uid) session_register("userid");

    Here we can see the only  verification of a valid user is  through
    the global var. PHPSESSID, so  if we declare that variable  on the
    url,  and  set  the  'myname','fullname'  and 'userid' we can gain
    administrative we'll test:


    BINGO!!  now  we  have  full  administrative privileges...that's a
    typical example  of PHP's clear  that security can't
    rely on global  variables since they  may be modifyed  through url


    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH