Home page logo
/

bugtraq logo Bugtraq mailing list archives

[ARL02-A04] DCP-Portal System Information Path Disclosure Vulnerability
From: Ahmet Sabri ALPER <s_alper () hotmail com>
Date: 28 Feb 2002 13:42:44 -0000



+/--------\------- ALPER Research Labs   -----/--------/+
+/---------\------  Security Advisory    ----/---------/+
+/----------\-----    ID: ARL02-A04      ---/----------/+
+/-----------\---- salper () olympos org    --/-----------/+


Advisory Information
--------------------
Name               : DCP-Portal System Information 
                     Path Disclosure Vulnerability
Software Package   : DCP-Portal
Vendor Homepage    : http://www.dcp-portal.com
Vulnerable Versions: v4.5, v4.2, v4.1 final, v4.0 final, 
v3.7 
                     and v3.6
Platforms          : Linux
Vulnerability Type : Input Validation Error
Vendor Contacted   : 18/02/2002
Prior Problems     : BugTraq ID: 4113 & 4112
Current Version    : 4.5.1 (immune)


Summary
-------
DCP-Portal is a content management system with 
advanced features like web-based update, link, 
file, member management, poll, calendar, etc. 
Its main features include an admin panel to 
manage the entire site, a smart HTML editor 
to add news, content, and annoucements, the 
ability for members to submit news/content 
and write reviews, and much more. 
It's an open-source project, which is also 
supported by FreshMeat.

A vulnerability exists in Dcp-Portal, which could 
allow any remote user to view the full path to 
the web root.


Details
-------
The new_language function carries out the selection 
of the requested language file.
Currently, DCP-Portal supports 5 languages 
including; 
Turkish, English, French, Portuguese and Spanish.

If any user submits a maliciously crafted HTTP 
request 
this will enable a remote user to reveal the absolute 
path to the web root and also more information about 
the system might be revealed.
This issue may be exploited by requesting an invalid 
language selection.

Example:
http://dcp-portal_site/contents.php?
new_language=elvish&mode=select
http://dcp-portal_site/categories.php?
new_language=elvish&mode=select
http://dcp-portal_site/files.php?
new_language=elvish&mode=select
...
Where Elvish is a non-existing language file.


Solution
--------
The vendor verified the vulnerability in all given 
versions. 
After a 10 day period, he fixed all the bugs stated and 
released a new version "v4.5.1" which is immune.
It can be downloaded from:
http://www.dcp-portal.com/files.php?
action=viewcat&fcat_id=1

The workaround below was suggested by me:
Add control codes to the new_language function.
Eg:
if (exists ($requested_language)) {
# correct carry on
}
else {
die ("Invalid language request!");
}


Credits
-------
Discovered on 18, February, 2002 
by Ahmet Sabri ALPER 
salper () olympos org
Ahmet Sabri ALPER is the 
System Security Editor of PCLIFE Magazine.


References
----------
Product Web Page: http://www.dcp-portal.com
Olympos Turkish Security Portal: 
http://www.olympos.org


  By Date           By Thread  

Current thread:
  • [ARL02-A04] DCP-Portal System Information Path Disclosure Vulnerability Ahmet Sabri ALPER (Mar 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault