[24294] in bugtraq
[ARL02-A02] DCP-Portal Root Path Disclosure Vulnerability
daemon@ATHENA.MIT.EDU (Ahmet Sabri ALPER)
Fri Feb 15 11:56:01 2002
Date: 15 Feb 2002 14:04:58 -0000
Message-ID: <20020215140458.6145.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Ahmet Sabri ALPER <s_alper@hotmail.com>
To: bugtraq@securityfocus.com
+/--------\------- ALPER Research Labs -----/--------/+
+/---------\------ Security Advisory ----/---------/+
+/----------\----- ID: ARL02-A02 ---/----------/+
+/-----------\---- salper@olympos.org --/-----------/+
Advisory Information
--------------------
Name : DCP-Portal Root Path Disclosure
Vulnerability
Software Package : DCP-Portal
Vendor Homepage : http://www.dcp-portal.com
Vulnerable Versions: v4.2, v4.1 final, v4.0 final, v3.7
and probably all
previous versions.
Platforms : Linux
Vulnerability Type : Design Error
Vendor Contacted : 09/02/2002 (no reply)
Prior Problems : N/A
Current Version : 4.2 (vulnerable)
Summary
-------
DCP-Portal is a content management system with
advanced features like
web-based update, link, file, member management,
poll, calendar, etc.
Its main features include an admin panel to manage
the entire site, a
smart HTML editor to add news, content, and
annoucements, the ability
for members to submit news/content and write
reviews, and much more.
It's an open-source project, which is also supported
by FreshMeat.
A vulnerability exists in Dcp-Portal, which could allow
any remote
user to view the full path to the web root.
Details
-------
If a user submits a HTTP request for
the "add_user.php", the system
will return an error page containing the path to the
web root.
The remote attacker may potentially use the
disclosed information to
aid in further attacks against the host running the
vulnerable software.
Example:
http://www.dcp-portal_host.com.tr/add_user.php
This would return;
"Warning: Cannot add header information - headers
already sent by (output
started at /home/usr/www.dcp-
portal_host/htdocs/add_user.php:11) in
/home/usr/www.dcp-
portal_host/htdocs/add_user.php on line 16"
Solution
--------
Suggested Solution:
Cut the lines 10-11 on add_user.php, and paste them
at line 20.
Vendor did not care to reply or was unreachable.
Credits
-------
Discovered on 09, February, 2002 by Ahmet Sabri
ALPER salper@olympos.org
Ahmet Sabri ALPER is the System Security Editor of
PCLIFE Magazine.
Olympos Turkish Security Portal:
http://www.olympos.org
References
----------
Product Web Page: http://www.dcp-portal.com
