VIDEO: Exploiting a Cross Site Scripting vulnerability in Mambo CMS

In this video we look into the details of how an attacker is able to exploit a Cross Site Scripting vulnerability in Mambo CMS (version: 4.6.5), discovered by Bogdan Calin with Acunetix Web Vulnerability Scanner.

This vulnerability is affecting a POST parameter in the Mambo CMS administration interface.  The attacker prepares a custom web page, which when the victim visits it, a form will be automatically submitted in the background, thus exploiting the vulnerability.  The form is hidden from the user in an iframe tag.

Once the victim, in this case a Mambo administrator visits this page, his cookie details are logged into a file, which the attacker can use to gain access to the Mambo CMS administration interface. Watch the full video for more in-depth details.

Click here for high resolution version.

Subscribe to the Acunetix YouTube channel to be automatically notified when new web security and Acunetix WVS videos are uploaded.

Share this post
  • I don’t think I understand how this works.

    1) The victim is logged onto his mambo administration
    2) victim opens email with link and clicks the link
    3) The link contains a video and an Iframe

    What does the Iframe do? Does the Iframe contain a script that loops through the cookies on the victim’s browser and then finds the desired cookie and then passes the cookie onto the logger.php?

  • …and by the way – you say there’s a vulnerability in Mambo – but you never clarify on this – I think this is the part that confuses me: you never mention anything regarding a vulnerability in mambo.

  • @oab: Yes, the iframe prepares a form, including the XSS exploit in one of the parameters and submits that form. The XSS exploit will submit victim’s cookie to the logger.php file.
    Yes, I didn’t mentioned anything about the Mambo XSS vulnerability because I don’t want to directly help the script kiddies. However, all the information is there, in the video (including the vulnerable parameter). The XSS was submitted a few weeks ago to the Mambo team and was fixed since then.

  • Leave a Reply

    Your email address will not be published.