VIDEO: Exploiting a Cross Site Scripting vulnerability in Mambo CMS

In this video we look into the details of how an attacker is able to exploit a Cross Site Scripting vulnerability in Mambo CMS (version: 4.6.5), discovered by Bogdan Calin with Acunetix Web Vulnerability Scanner.

This vulnerability is affecting a POST parameter in the Mambo CMS administration interface.  The attacker prepares a custom web page, which when the victim visits it, a form will be automatically submitted in the background, thus exploiting the vulnerability.  The form is hidden from the user in an iframe tag.

Once the victim, in this case a Mambo administrator visits this page, his cookie details are logged into a file, which the attacker can use to gain access to the Mambo CMS administration interface. Watch the full video for more in-depth details.

Subscribe to the Acunetix YouTube channel to be automatically notified when new web security and Acunetix WVS videos are uploaded.

Share this post
Bogdan Calin

  • I don’t think I understand how this works.

    1) The victim is logged onto his mambo administration
    2) victim opens email with link and clicks the link
    3) The link contains a video and an Iframe

    What does the Iframe do? Does the Iframe contain a script that loops through the cookies on the victim’s browser and then finds the desired cookie and then passes the cookie onto the logger.php?

  • …and by the way – you say there’s a vulnerability in Mambo – but you never clarify on this – I think this is the part that confuses me: you never mention anything regarding a vulnerability in mambo.

  • @oab: Yes, the iframe prepares a form, including the XSS exploit in one of the parameters and submits that form. The XSS exploit will submit victim’s cookie to the logger.php file.
    Yes, I didn’t mentioned anything about the Mambo XSS vulnerability because I don’t want to directly help the script kiddies. However, all the information is there, in the video (including the vulnerable parameter). The XSS was submitted a few weeks ago to the Mambo team and was fixed since then.

  • Leave a Reply

    Your email address will not be published.