lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Sun, 17 Jun 2007 12:29:42 -0700
From: "SecurityResearch" <securityresearch@...vigilance.com>
To: <full-disclosure@...ts.grok.org.uk>
Subject: WSPortal version 1.0 Path Disclosure Vulnerability

netVigilance Security Advisory #32
WSPortal version 1.0 Path Disclosure Vulnerability
Description:
WSPortal is a site management system coded in PHP/MySQL. It is capable of adding pages, adding news to pages, adding images to news articles, alerting the
site or a specific ip address, private messaging system between administrators.
Successful exploitation requires PHP magic_quotes_gpc set to OFF.
Advisory URL: 
http://www.netvigilance.com/advisory0032
External References: 
Mitre CVE:  CVE-2007-3127
NVD NIST: CVE-2007-3127
OSVDB: 34163
Summary: 
WSPortal is a site management system coded in PHP/MySQL. 
Security problem in the product allows attackers to gather the true path of the server-side script.
Release Date:
06/17/2007
 
Severity:
Risk: Low
 
CVSS Metrics
Access Vector: Remote
Access Complexity: Low
Authentication: Not-required
Confidentiality Impact: Partial
Integrity Impact: None
Availability Impact: None
Impact Bias: Normal
CVSS Base Score: 2.3
 
Target Distribution on Internet: Low
 
Exploitability: Functional Exploit
Remediation Level: Workaround
Report Confidence: Uncorroborated
 
Vulnerability Impact: Attack
Host Impact: Path disclosure.
SecureScout Testcase ID:
TC 17962
Vulnerable Systems:
WSPortal version 1.0
Vulnerability Type:
Program flaws - The product scripts have flaws which lead to Warnings or even Fatal Errors.
Vendor:
Chris Harvey
Vendor Status:
The Vendor has been notified several times on many different email addresses last on 6 June 2007. The Vendor has not responded. There is no official fix
at the release of this Security Advisory.
Workaround:
Set display_errors = Off (php.ini file) or set magic_quotes_gpc = On (php.ini file).
Example: 
REQUEST:
http://[TARGET]/[WSPORTAL-DIRECTORY]/content.php?page=';
REPLY:
<b>Warning</b>:  mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>[DISCLOSED PATH][WSPORTAL-DIRECTORY]\content.php</b> on
line <b>67</b><br />
<b>Warning</b>:  mysql_fetch_array(): supplied argument is not a valid MySQL result resource in <b>[DISCLOSED PATH][WSPORTAL-DIRECTORY]\content.php</b> on
line <b>76</b><br />
Credits: 
Jesper Jurcenoks
Co-founder netVigilance, Inc
www.netvigilance.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ