[ARL02-A02] DCP-Portal Root Path Disclosure Vulnerability

From: Ahmet Sabri ALPER (s_alperat_private)
Date: Fri Feb 15 2002 - 06:04:58 PST

Next message: Ahmet Sabri ALPER: "[ARL02-A03] DCP-Portal Cross Site Scripting Vulnerability"

Previous message: Ben Ryan: "Remote DoS in Netgear RM-356"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) +/--------\------- ALPER Research Labs -----/--------/+ +/---------\------ Security Advisory ----/---------/+ +/----------\----- ID: ARL02-A02 ---/----------/+ +/-----------\---- salperat_private --/-----------/+ Advisory Information -------------------- Name : DCP-Portal Root Path Disclosure Vulnerability Software Package : DCP-Portal Vendor Homepage : http://www.dcp-portal.com Vulnerable Versions: v4.2, v4.1 final, v4.0 final, v3.7 and probably all previous versions. Platforms : Linux Vulnerability Type : Design Error Vendor Contacted : 09/02/2002 (no reply) Prior Problems : N/A Current Version : 4.2 (vulnerable) Summary ------- DCP-Portal is a content management system with advanced features like web-based update, link, file, member management, poll, calendar, etc. Its main features include an admin panel to manage the entire site, a smart HTML editor to add news, content, and annoucements, the ability for members to submit news/content and write reviews, and much more. It's an open-source project, which is also supported by FreshMeat. A vulnerability exists in Dcp-Portal, which could allow any remote user to view the full path to the web root. Details ------- If a user submits a HTTP request for the "add_user.php", the system will return an error page containing the path to the web root. The remote attacker may potentially use the disclosed information to aid in further attacks against the host running the vulnerable software. Example: http://www.dcp-portal_host.com.tr/add_user.php This would return; "Warning: Cannot add header information - headers already sent by (output started at /home/usr/www.dcp- portal_host/htdocs/add_user.php:11) in /home/usr/www.dcp- portal_host/htdocs/add_user.php on line 16" Solution -------- Suggested Solution: Cut the lines 10-11 on add_user.php, and paste them at line 20. Vendor did not care to reply or was unreachable. Credits ------- Discovered on 09, February, 2002 by Ahmet Sabri ALPER salperat_private Ahmet Sabri ALPER is the System Security Editor of PCLIFE Magazine. Olympos Turkish Security Portal: http://www.olympos.org References ---------- Product Web Page: http://www.dcp-portal.com

Next message: Ahmet Sabri ALPER: "[ARL02-A03] DCP-Portal Cross Site Scripting Vulnerability"
Previous message: Ben Ryan: "Remote DoS in Netgear RM-356"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Feb 15 2002 - 08:49:42 PST