OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Ahmet Sabri ALPER (s_alperhotmail.com)
Date: Thu Feb 28 2002 - 07:42:44 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) +/--------\------- ALPER Research Labs -----/--------/+
    +/---------\------ Security Advisory ----/---------/+
    +/----------\----- ID: ARL02-A04 ---/----------/+
    +/-----------\---- salperolympos.org --/-----------/+


    Advisory Information
    --------------------
    Name : DCP-Portal System Information
                         Path Disclosure Vulnerability
    Software Package : DCP-Portal
    Vendor Homepage : http://www.dcp-portal.com
    Vulnerable Versions: v4.5, v4.2, v4.1 final, v4.0 final,
    v3.7
                         and v3.6
    Platforms : Linux
    Vulnerability Type : Input Validation Error
    Vendor Contacted : 18/02/2002
    Prior Problems : BugTraq ID: 4113 & 4112
    Current Version : 4.5.1 (immune)


    Summary
    -------
    DCP-Portal is a content management system with
    advanced features like web-based update, link,
    file, member management, poll, calendar, etc.
    Its main features include an admin panel to
    manage the entire site, a smart HTML editor
    to add news, content, and annoucements, the
    ability for members to submit news/content
    and write reviews, and much more.
    It's an open-source project, which is also
    supported by FreshMeat.

    A vulnerability exists in Dcp-Portal, which could
    allow any remote user to view the full path to
    the web root.


    Details
    -------
    The new_language function carries out the selection
    of the requested language file.
    Currently, DCP-Portal supports 5 languages
    including;
    Turkish, English, French, Portuguese and Spanish.

    If any user submits a maliciously crafted HTTP
    request
    this will enable a remote user to reveal the absolute
    path to the web root and also more information about
    the system might be revealed.
    This issue may be exploited by requesting an invalid
    language selection.

    Example:
    http://dcp-portal_site/contents.php?
    new_language=elvish&mode=select
    http://dcp-portal_site/categories.php?
    new_language=elvish&mode=select
    http://dcp-portal_site/files.php?
    new_language=elvish&mode=select
    ...
    Where Elvish is a non-existing language file.


    Solution
    --------
    The vendor verified the vulnerability in all given
    versions.
    After a 10 day period, he fixed all the bugs stated and
    released a new version "v4.5.1" which is immune.
    It can be downloaded from:
    http://www.dcp-portal.com/files.php?
    action=viewcat&fcat_id=1

    The workaround below was suggested by me:
    Add control codes to the new_language function.
    Eg:
    if (exists ($requested_language)) {
    # correct carry on
    }
    else {
    die ("Invalid language request!");
    }


    Credits
    -------
    Discovered on 18, February, 2002
    by Ahmet Sabri ALPER
    salperolympos.org
    Ahmet Sabri ALPER is the
    System Security Editor of PCLIFE Magazine.


    References
    ----------
    Product Web Page: http://www.dcp-portal.com
    Olympos Turkish Security Portal:
    http://www.olympos.org