Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

[ARL02-A02] DCP-Portal Root Path Disclosure Vulnerability

From: Ahmet Sabri ALPER <s_alper () hotmail com>
Date: 15 Feb 2002 14:04:58 -0000


+/--------\------- ALPER Research Labs   -----/--------/+
+/---------\------  Security Advisory    ----/---------/+
+/----------\-----    ID: ARL02-A02      ---/----------/+
+/-----------\---- salper () olympos org    --/-----------/+


Advisory Information
--------------------
Name               : DCP-Portal Root Path Disclosure 
Vulnerability
Software Package   : DCP-Portal
Vendor Homepage    : http://www.dcp-portal.com
Vulnerable Versions: v4.2, v4.1 final, v4.0 final, v3.7 
and probably all
                     previous versions.
Platforms          : Linux
Vulnerability Type : Design Error
Vendor Contacted   : 09/02/2002 (no reply)
Prior Problems     : N/A
Current Version    : 4.2 (vulnerable)


Summary
-------
DCP-Portal is a content management system with 
advanced features like 
web-based update, link, file, member management, 
poll, calendar, etc. 
Its main features include an admin panel to manage 
the entire site, a 
smart HTML editor to add news, content, and 
annoucements, the ability 
for members to submit news/content and write 
reviews, and much more. 
It's an open-source project, which is also supported 
by FreshMeat.

A vulnerability exists in Dcp-Portal, which could allow 
any remote 
user to view the full path to the web root.


Details
-------
If a user submits a HTTP request for 
the "add_user.php", the system 
will return an error page containing the path to the 
web root.
The remote attacker may potentially use the 
disclosed information to 
aid in further attacks against the host running the 
vulnerable software. 

Example:
http://www.dcp-portal_host.com.tr/add_user.php
This would return;
"Warning: Cannot add header information - headers 
already sent by (output 
started at /home/usr/www.dcp-
portal_host/htdocs/add_user.php:11) in 
/home/usr/www.dcp-
portal_host/htdocs/add_user.php on line 16"


Solution
--------
Suggested Solution:
Cut the lines 10-11 on add_user.php, and paste them 
at line 20.
Vendor did not care to reply or was unreachable.

Credits
-------
Discovered on 09, February, 2002 by Ahmet Sabri 
ALPER salper () olympos org
Ahmet Sabri ALPER is the System Security Editor of 
PCLIFE Magazine.

Olympos Turkish Security Portal: 
http://www.olympos.org

References
----------
Product Web Page: http://www.dcp-portal.com
Previous By Date Next
Previous By Thread Next

Current thread: