Mambo CMS Security Advisory – SQL Injection

Application : Mambo CMS
Versions Affected: 4.6.5 and Lower
Exploit : SQL Injection
Easy of use: Moderate
Threat Level : Low
Fix: Use another CMS in active development
ZeroDay : No
Credit: Aung Khant,, YGN Ethical Hacker Group, Myanmar
External Website:

What does it mean, do I have to do anything, if so what?

An input parameter called zorder isn’t properly scrutinised and is therefore subject to a SQL injection. SQL injections can be crafted to extract data and potentially run commands on your server. So even if you’re not storing sensitive information you will be putting your server at risk.  If you are running Mambo, you need to scrap it and use a CMS that is being actively developed and supported.

What happens if I leave it?

Your server will be hacked.

If you need further information on securing your server call us.

This entry was posted in Web Security. Bookmark the permalink.

Comments are closed.