95054 2003-03-21 00:32 /112 rader/ Grégory Le Bras <gregory.lebras@security-corporation.com> Importerad: 2003-03-21 00:32 av Brevbäraren Extern mottagare: bugtraq@securityfocus.com Mottagare: Bugtraq (import) <4087> Ärende: [SCSA-011] Path Disclosure Vulnerability in XOOPS ------------------------------------------------------------ ________________________________________________________________________ Security Corporation Security Advisory [SCSA-011] ________________________________________________________________________ PROGRAM: XOOPS HOMEPAGE: http://www.xoops.org/ VULNERABLE VERSIONS: v2.0 (and prior ?) ________________________________________________________________________ DESCRIPTION ________________________________________________________________________ XOOPS is "a dynamic OO (Object Oriented) based open source portal script written in PHP. XOOPS is the ideal tool for developing small to large dynamic community websites,intra company portals, corporate portals, weblogs and much more." (direct quote from XOOPS website) DETAILS & EXPLOITS ________________________________________________________________________ ¤ Details Path Disclosure : A vulnerability have been found in XOOPS which allow attackers to determine the physical path of the application. This vulnerability would allow a remote user to determine the full path to the web root directory and other potentially sensitive information. This vulnerability can be triggered by a remote user submitting a specially crafted HTTP request including invalid input to the "$xoopsOption" variable. ¤ Exploits Path Disclosure : http://[target]/index.php?xoopsOption=any_word Affected files: admin.php edituser.php footer.php header.php image.php lostpass.php pmlite.php readpmsg.php register.php search.php user.php userinfo.php viewpmsg.php class/xoopsblock.php modules/contact/index.php modules/mydownloads/index.php modules/mydownloads/brokenfile.php modules/mydownloads/modfile.php modules/mydownloads/ratefile.php modules/mydownloads/singlefile.php modules/mydownloads/submit.php modules/mydownloads/topten.php modules/mydownloads/viewcat.php modules/mylinks/brokenlink.php modules/mylinks/index.php modules/mylinks/modlink.php modules/mylinks/ratelink.php modules/mylinks/singlelink.php modules/mylinks/submit.php modules/mylinks/topten.php modules/mylinks/viewcat.php modules/newbb/index.php modules/newbb/search.php modules/newbb/viewforum.php modules/newbb/viewtopic.php modules/news/archive.php modules/news/article.php modules/news/index.php modules/sections/index.php modules/system/admin.php modules/xoopsfaq/index.php modules/xoopsheadlines/index.php modules/xoopsmembers/index.php modules/xoopspartners/index.php modules/xoopspartners/join.php modules/xoopspoll/index.php modules/xoopspoll/pollresults.php SOLUTIONS ________________________________________________________________________ No solution for the moment. VENDOR STATUS ________________________________________________________________________ The vendor has reportedly been notified. LINKS ________________________________________________________________________ Version Française : http://www.security-corporation.com/index.php?id=advisories&a=011-FR ------------------------------------------------------------------------ Grégory Le Bras aka GaLiaRePt | http://www.Security-Corporation.com ------------------------------------------------------------------------ (95054) /Grégory Le Bras <gregory.lebras@security-corporation.com>/(Ombruten)