ZH2003-20SA (security advisory): Stellar Docs Path Disclosure and Security 

Leak



Published: 10 august 2003



Released: 10 august 2003



Name: Stellar Docs



Affected Systems: v1.2



Issue: Remote attackers can know the path of the site and access the 

administrative section



Author: G00db0y@zone-h.org



Vendor: http://www.imediasoftware.com/products/stellardocs/index.php



Description



***********



Zone-h Security Team has discovered a flaw in Stellar Docs v1.2 (and older

versions?). Stellar Docs is an "incredibly easy to use online 

documentation manager"





Details



*******

 

It's possible to make a malformed http request in Stellar Docs and in 

doing so 

trigger an error. The resulting error message will disclose potentially 

sensitive 

installation path information to the remote attacker.



Example:



http://www.site.com/pathofstellardocs/data/fetch.php?page='





By doing this request we will receive this kind of error: 



Warning: mysql_num_rows(): supplied argument is not a valid MySQL result 

resource

 in /home/www/pathofstellardocs/_admin/cdb.php on line 20



Now we know where is the admin directory. So we can try to connect to the 

adminstration

section:



http://www.site.com/pathofstellardocs/_admin/



We will have a login form where we will insert these data:



user: admin      password: admin



We have seen that there is no page to change them, so only modifying the 

source code

of the administration pages we can change these data. 









Solution:



*********



The vendor has been contacted and a patch is not yet produced.





Suggestions:



************



Filter all files and change administrator password by editing his pages.





G00db0y - www.zone-h.org admin



Original advisory here: http://www.zone-h.org/en/advisories/read/id=2864/