OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ahmet Sabri ALPER (s_alperhotmail.com)
Date: Fri Feb 15 2002 - 08:04:58 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) +/--------\------- ALPER Research Labs -----/--------/+
    +/---------\------ Security Advisory ----/---------/+
    +/----------\----- ID: ARL02-A02 ---/----------/+
    +/-----------\---- salperolympos.org --/-----------/+


    Advisory Information
    --------------------
    Name : DCP-Portal Root Path Disclosure
    Vulnerability
    Software Package : DCP-Portal
    Vendor Homepage : http://www.dcp-portal.com
    Vulnerable Versions: v4.2, v4.1 final, v4.0 final, v3.7
    and probably all
                         previous versions.
    Platforms : Linux
    Vulnerability Type : Design Error
    Vendor Contacted : 09/02/2002 (no reply)
    Prior Problems : N/A
    Current Version : 4.2 (vulnerable)


    Summary
    -------
    DCP-Portal is a content management system with
    advanced features like
    web-based update, link, file, member management,
    poll, calendar, etc.
    Its main features include an admin panel to manage
    the entire site, a
    smart HTML editor to add news, content, and
    annoucements, the ability
    for members to submit news/content and write
    reviews, and much more.
    It's an open-source project, which is also supported
    by FreshMeat.

    A vulnerability exists in Dcp-Portal, which could allow
    any remote
    user to view the full path to the web root.


    Details
    -------
    If a user submits a HTTP request for
    the "add_user.php", the system
    will return an error page containing the path to the
    web root.
    The remote attacker may potentially use the
    disclosed information to
    aid in further attacks against the host running the
    vulnerable software.

    Example:
    http://www.dcp-portal_host.com.tr/add_user.php
    This would return;
    "Warning: Cannot add header information - headers
    already sent by (output
    started at /home/usr/www.dcp-
    portal_host/htdocs/add_user.php:11) in
    /home/usr/www.dcp-
    portal_host/htdocs/add_user.php on line 16"


    Solution
    --------
    Suggested Solution:
    Cut the lines 10-11 on add_user.php, and paste them
    at line 20.
    Vendor did not care to reply or was unreachable.

    Credits
    -------
    Discovered on 09, February, 2002 by Ahmet Sabri
    ALPER salperolympos.org
    Ahmet Sabri ALPER is the System Security Editor of
    PCLIFE Magazine.

    Olympos Turkish Security Portal:
    http://www.olympos.org

    References
    ----------
    Product Web Page: http://www.dcp-portal.com