linux, säkerhet

8074839 2002-02-28 13:42 +0000  /110 rader/ Ahmet Sabri ALPER <s_alper@hotmail.com>
Sänt av: joel@lysator.liu.se
Importerad: 2002-03-01  02:22  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <21178>
Ärende: [ARL02-A04] DCP-Portal System Information Path Disclosure Vulnerability
------------------------------------------------------------
From: Ahmet Sabri ALPER <s_alper@hotmail.com>
To: bugtraq@securityfocus.com
Message-ID: <20020228134244.15732.qmail@mail.securityfocus.com>



+/--------\------- ALPER Research Labs   -----/--------/+
+/---------\------  Security Advisory    ----/---------/+
+/----------\-----    ID: ARL02-A04      ---/----------/+
+/-----------\---- salper@olympos.org    --/-----------/+


Advisory Information
--------------------
Name               : DCP-Portal System Information 
                     Path Disclosure Vulnerability
Software Package   : DCP-Portal
Vendor Homepage    : http://www.dcp-portal.com
Vulnerable Versions: v4.5, v4.2, v4.1 final, v4.0 final, 
v3.7 
                     and v3.6
Platforms          : Linux
Vulnerability Type : Input Validation Error
Vendor Contacted   : 18/02/2002
Prior Problems     : BugTraq ID: 4113 & 4112
Current Version    : 4.5.1 (immune)


Summary
-------
DCP-Portal is a content management system with 
advanced features like web-based update, link, 
file, member management, poll, calendar, etc. 
Its main features include an admin panel to 
manage the entire site, a smart HTML editor 
to add news, content, and annoucements, the 
ability for members to submit news/content 
and write reviews, and much more. 
It's an open-source project, which is also 
supported by FreshMeat.

A vulnerability exists in Dcp-Portal, which could 
allow any remote user to view the full path to 
the web root.


Details
-------
The new_language function carries out the selection 
of the requested language file.
Currently, DCP-Portal supports 5 languages 
including; 
Turkish, English, French, Portuguese and Spanish.

If any user submits a maliciously crafted HTTP 
request 
this will enable a remote user to reveal the absolute 
path to the web root and also more information about 
the system might be revealed.
This issue may be exploited by requesting an invalid 
language selection.

Example:
http://dcp-portal_site/contents.php?
new_language=elvish&mode=select
http://dcp-portal_site/categories.php?
new_language=elvish&mode=select
http://dcp-portal_site/files.php?
new_language=elvish&mode=select
...
Where Elvish is a non-existing language file.


Solution
--------
The vendor verified the vulnerability in all given 
versions. 
After a 10 day period, he fixed all the bugs stated and 
released a new version "v4.5.1" which is immune.
It can be downloaded from:
http://www.dcp-portal.com/files.php?
action=viewcat&fcat_id=1

The workaround below was suggested by me:
Add control codes to the new_language function.
Eg:
if (exists ($requested_language)) {
# correct carry on
}
else {
die ("Invalid language request!");
}


Credits
-------
Discovered on 18, February, 2002 
by Ahmet Sabri ALPER 
salper@olympos.org
Ahmet Sabri ALPER is the 
System Security Editor of PCLIFE Magazine.


References
----------
Product Web Page: http://www.dcp-portal.com
Olympos Turkish Security Portal: 
http://www.olympos.org
(8074839) /Ahmet Sabri ALPER <s_alper@hotmail.com>/-