+/--------\------- ALPER Research Labs -----/--------/+
+/---------\------ Security Advisory ----/---------/+
+/----------\----- ID: ARL02-A04 ---/----------/+
+/-----------\---- salper@olympos.org --/-----------/+
Advisory Information
--------------------
Name : DCP-Portal System Information
Path Disclosure Vulnerability
Software Package : DCP-Portal
Vendor Homepage : http://www.dcp-portal.com
Vulnerable Versions: v4.5, v4.2, v4.1 final, v4.0 final,
v3.7
and v3.6
Platforms : Linux
Vulnerability Type : Input Validation Error
Vendor Contacted : 18/02/2002
Prior Problems : BugTraq ID: 4113 & 4112
Current Version : 4.5.1 (immune)
Summary
-------
DCP-Portal is a content management system with
advanced features like web-based update, link,
file, member management, poll, calendar, etc.
Its main features include an admin panel to
manage the entire site, a smart HTML editor
to add news, content, and annoucements, the
ability for members to submit news/content
and write reviews, and much more.
It's an open-source project, which is also
supported by FreshMeat.
A vulnerability exists in Dcp-Portal, which could
allow any remote user to view the full path to
the web root.
Details
-------
The new_language function carries out the selection
of the requested language file.
Currently, DCP-Portal supports 5 languages
including;
Turkish, English, French, Portuguese and Spanish.
If any user submits a maliciously crafted HTTP
request
this will enable a remote user to reveal the absolute
path to the web root and also more information about
the system might be revealed.
This issue may be exploited by requesting an invalid
language selection.
Example:
http://dcp-portal_site/contents.php?
new_language=elvish&mode=select
http://dcp-portal_site/categories.php?
new_language=elvish&mode=select
http://dcp-portal_site/files.php?
new_language=elvish&mode=select
...
Where Elvish is a non-existing language file.
Solution
--------
The vendor verified the vulnerability in all given
versions.
After a 10 day period, he fixed all the bugs stated and
released a new version "v4.5.1" which is immune.
It can be downloaded from:
http://www.dcp-portal.com/files.php?
action=viewcat&fcat_id=1
The workaround below was suggested by me:
Add control codes to the new_language function.
Eg:
if (exists ($requested_language)) {
# correct carry on
}
else {
die ("Invalid language request!");
}
Credits
-------
Discovered on 18, February, 2002
by Ahmet Sabri ALPER
salper@olympos.org
Ahmet Sabri ALPER is the
System Security Editor of PCLIFE Magazine.
References
----------
Product Web Page: http://www.dcp-portal.com
Olympos Turkish Security Portal:
http://www.olympos.org
