In this video we look into the details of how an attacker is able to exploit a Cross Site Scripting vulnerability in Mambo CMS (version: 4.6.5), discovered by Bogdan Calin with Acunetix Web Vulnerability Scanner.

This vulnerability is affecting a POST parameter in the Mambo CMS administration interface.  The attacker prepares a custom web page, which when the victim visits it, a form will be automatically submitted in the background, thus exploiting the vulnerability.  The form is hidden from the user in an iframe tag.

Once the victim, in this case a Mambo administrator visits this page, his cookie details are logged into a file, which the attacker can use to gain access to the Mambo CMS administration interface. Watch the full video for more in-depth details.

Subscribe to the Acunetix YouTube channel to be automatically notified when new web security and Acunetix WVS videos are uploaded.

Bogdan Calin

Acunetix developers and tech agents regularly contribute to the blog. All the Acunetix developers come with years of experience in the web security sphere.