CVE-2003-1245

An attacker can gain administrator access by manipulating the session ID. The vulnerability lies in the application's failure to properly check if the session ID was legitimately created during an administrator login. By obtaining a valid session cookie (e.g., after a logout), an attacker can then MD5 hash this cookie's session ID. This hashed value can be sent as the `session_id` parameter in a URL request to the administrator section, tricking the application into granting administrative privileges [ref_id=1].

The vulnerability is present in `index2.php` within the administrator section of Mambo Site Server. The exploit code targets the `index.php?option=logout` endpoint to retrieve a session cookie, and then uses this cookie to construct a malicious request to `index2.php?session_id=`. The core issue is the application's acceptance of an MD5-hashed session ID without proper verification [ref_id=1].

The advisory does not specify a patch or provide details on how the vulnerability was fixed. However, it indicates that the issue was reported in Mambo Site Server 4.0.12 RC2 and suggests that earlier versions may also be affected. Remediation would likely involve implementing proper validation of session IDs to ensure they are legitimately generated and associated with an active administrative session.

The provided reference includes a proof-of-concept script that demonstrates the attack. The script connects to the server, retrieves a cookie by requesting the logout page, MD5 hashes the session ID from the cookie, and then redirects to the administrator login page with the crafted session ID.