https://www.exploit-db.com/exploits/22087
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200212-448

MamboSiteServer是一款免费开放源代码WEB内容管理工具，由PHP编写。Mambo包含的’index.php’脚本对用户畸形请求处理不正确，远程攻击者可以利用这个漏洞获得系统物理路径信息。Mambo包含的脚本’index.php’可被远程访问，攻击者可以直接访问此脚本，并传递非法参数，可导致脚本返回包含Mambo程序所在位置的绝对路径信息。攻击者可以借此对系统进一步进行攻击。

source: http://www.securityfocus.com/bid/6387/info

A vulnerability has been discovered in Mambo Site Server. Requesting the 'index.php' script with an invalid parameter will cause an error page to be generated containing the path of the Mambo script.

Information obtained by exploiting this issue may aid an attacker in launching further attacks against a target server.

It should be noted that this vulnerability was reported in Mambo Site Server 4.0.11. It is not yet known whether other versions are affected.

http://www.example.com/mambo/index.php?Itemid=invalidparameter

来源:BID
名称:6387
链接:http://www.securityfocus.com/bid/6387
来源:XF
名称:mambo-index-path-disclosure(10856)
链接:http://xforce.iss.net/xforce/xfdb/10856
来源:BUGTRAQ
名称:20021212MultipleMamboSiteServersec-weaknesses
链接:http://archives.neohapsis.com/archives/bugtraq/2002-12/0111.html
来源：NSFOCUS
名称：4034
链接：http://www.nsfocus.net/vulndb/4034