[ARL02-A04] DCP-Portal System Information Path Disclosure Vulnerability

From: Ahmet Sabri ALPER (s_alperat_private)
Date: Thu Feb 28 2002 - 05:42:44 PST

Next message: Peter Miller: "RE: Symantec LiveUpdate"

Previous message: Brian Rea: "the dangers of disclosing vulnerabilities when the guilty party is ignorant of industry standards"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) +/--------\------- ALPER Research Labs -----/--------/+ +/---------\------ Security Advisory ----/---------/+ +/----------\----- ID: ARL02-A04 ---/----------/+ +/-----------\---- salperat_private --/-----------/+ Advisory Information -------------------- Name : DCP-Portal System Information Path Disclosure Vulnerability Software Package : DCP-Portal Vendor Homepage : http://www.dcp-portal.com Vulnerable Versions: v4.5, v4.2, v4.1 final, v4.0 final, v3.7 and v3.6 Platforms : Linux Vulnerability Type : Input Validation Error Vendor Contacted : 18/02/2002 Prior Problems : BugTraq ID: 4113 & 4112 Current Version : 4.5.1 (immune) Summary ------- DCP-Portal is a content management system with advanced features like web-based update, link, file, member management, poll, calendar, etc. Its main features include an admin panel to manage the entire site, a smart HTML editor to add news, content, and annoucements, the ability for members to submit news/content and write reviews, and much more. It's an open-source project, which is also supported by FreshMeat. A vulnerability exists in Dcp-Portal, which could allow any remote user to view the full path to the web root. Details ------- The new_language function carries out the selection of the requested language file. Currently, DCP-Portal supports 5 languages including; Turkish, English, French, Portuguese and Spanish. If any user submits a maliciously crafted HTTP request this will enable a remote user to reveal the absolute path to the web root and also more information about the system might be revealed. This issue may be exploited by requesting an invalid language selection. Example: http://dcp-portal_site/contents.php? new_language=elvish&mode=select http://dcp-portal_site/categories.php? new_language=elvish&mode=select http://dcp-portal_site/files.php? new_language=elvish&mode=select ... Where Elvish is a non-existing language file. Solution -------- The vendor verified the vulnerability in all given versions. After a 10 day period, he fixed all the bugs stated and released a new version "v4.5.1" which is immune. It can be downloaded from: http://www.dcp-portal.com/files.php? action=viewcat&fcat_id=1 The workaround below was suggested by me: Add control codes to the new_language function. Eg: if (exists ($requested_language)) { # correct carry on } else { die ("Invalid language request!"); } Credits ------- Discovered on 18, February, 2002 by Ahmet Sabri ALPER salperat_private Ahmet Sabri ALPER is the System Security Editor of PCLIFE Magazine. References ---------- Product Web Page: http://www.dcp-portal.com Olympos Turkish Security Portal: http://www.olympos.org

Next message: Peter Miller: "RE: Symantec LiveUpdate"
Previous message: Brian Rea: "the dangers of disclosing vulnerabilities when the guilty party is ignorant of industry standards"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 17:16:28 PST