WSPortal version 1.0 Path Disclosure Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: WSPortal version 1.0 Path Disclosure Vulnerability
From: securityresearch@xxxxxxxxxxxxxxxx
Date: 17 Jun 2007 19:19:09 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

        netVigilance Security Advisory #32

WSPortal version 1.0 Path Disclosure Vulnerability
Description:
WSPortal is a site management system coded in PHP/MySQL. It is capable of 
adding pages, adding news to pages, adding images to news articles, alerting 
the site or a specific ip address, private messaging system between 
administrators.

Successful exploitation requires PHP magic_quotes_gpc set to OFF.

Advisory URL: 
http://www.netvigilance.com/advisory0032

External References: 
Mitre CVE:  CVE-2007-3127
NVD NIST: CVE-2007-3127
OSVDB: 34163

Summary: 
WSPortal is a site management system coded in PHP/MySQL. 
Security problem in the product allows attackers to gather the true path of the 
server-side script.
Release Date:
06/17/2007
 
Severity:
Risk: Low
 
CVSS Metrics
Access Vector: Remote
Access Complexity: Low
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Impact Bias: Normal
CVSS Base Score: 2.3
 
Target Distribution on Internet: Low
 
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated
 
Vulnerability Impact: Attack
Host Impact: Path disclosure.


SecureScout Testcase ID:
TC 17962

Vulnerable Systems:
WSPortal version 1.0

Vulnerability Type:
Program flaws - The product scripts have flaws which lead to Warnings or even 
Fatal Errors.
Vendor:
Chris Harvey

Vendor Status:
The Vendor has been notified several times on many different email addresses 
last on 6 June 2007. The Vendor has not responded. There is no official fix at 
the release of this Security Advisory.

Workaround:
Set display_errors = Off (php.ini file) or set magic_quotes_gpc = On (php.ini 
file).

Example: 
REQUEST:
http://[TARGET]/[WSPORTAL-DIRECTORY]/content.php?page=';
REPLY:
<b>Warning</b>:  mysql_fetch_array(): supplied argument is not a valid MySQL 
result resource in <b>[DISCLOSED PATH][WSPORTAL-DIRECTORY]\content.php</b> on 
line <b>67</b><br />
<b>Warning</b>:  mysql_fetch_array(): supplied argument is not a valid MySQL 
result resource in <b>[DISCLOSED PATH][WSPORTAL-DIRECTORY]\content.php</b> on 
line <b>76</b><br />
Credits: 
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com

Prev by Date: [SECURITY] [DSA 1310-1] New libexif packages fix integer overflow
Next by Date: Utopia News Pro version 1.4.0 XSS Attack Vulnerability
Previous by thread: [SECURITY] [DSA 1310-1] New libexif packages fix integer overflow
Next by thread: Utopia News Pro version 1.4.0 XSS Attack Vulnerability
Index(es):
- Date
- Thread