Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

bugtraq logo Bugtraq mailing list archives

[ARL02-A02] DCP-Portal Root Path Disclosure Vulnerability
From: Ahmet Sabri ALPER <s_alper () hotmail com>
Date: 15 Feb 2002 14:04:58 -0000


+/--------\------- ALPER Research Labs   -----/--------/+
+/---------\------  Security Advisory    ----/---------/+
+/----------\-----    ID: ARL02-A02      ---/----------/+
+/-----------\---- salper () olympos org    --/-----------/+


Advisory Information
--------------------
Name               : DCP-Portal Root Path Disclosure 
Vulnerability
Software Package   : DCP-Portal
Vendor Homepage    : http://www.dcp-portal.com
Vulnerable Versions: v4.2, v4.1 final, v4.0 final, v3.7 
and probably all
                     previous versions.
Platforms          : Linux
Vulnerability Type : Design Error
Vendor Contacted   : 09/02/2002 (no reply)
Prior Problems     : N/A
Current Version    : 4.2 (vulnerable)


Summary
-------
DCP-Portal is a content management system with 
advanced features like 
web-based update, link, file, member management, 
poll, calendar, etc. 
Its main features include an admin panel to manage 
the entire site, a 
smart HTML editor to add news, content, and 
annoucements, the ability 
for members to submit news/content and write 
reviews, and much more. 
It's an open-source project, which is also supported 
by FreshMeat.

A vulnerability exists in Dcp-Portal, which could allow 
any remote 
user to view the full path to the web root.


Details
-------
If a user submits a HTTP request for 
the "add_user.php", the system 
will return an error page containing the path to the 
web root.
The remote attacker may potentially use the 
disclosed information to 
aid in further attacks against the host running the 
vulnerable software. 

Example:
http://www.dcp-portal_host.com.tr/add_user.php
This would return;
"Warning: Cannot add header information - headers 
already sent by (output 
started at /home/usr/www.dcp-
portal_host/htdocs/add_user.php:11) in 
/home/usr/www.dcp-
portal_host/htdocs/add_user.php on line 16"


Solution
--------
Suggested Solution:
Cut the lines 10-11 on add_user.php, and paste them 
at line 20.
Vendor did not care to reply or was unreachable.

Credits
-------
Discovered on 09, February, 2002 by Ahmet Sabri 
ALPER salper () olympos org
Ahmet Sabri ALPER is the System Security Editor of 
PCLIFE Magazine.

Olympos Turkish Security Portal: 
http://www.olympos.org

References
----------
Product Web Page: http://www.dcp-portal.com

  By Date           By Thread  

Current thread:
  • [ARL02-A02] DCP-Portal Root Path Disclosure Vulnerability Ahmet Sabri ALPER (Feb 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]