20th Mar 2003 [SBWID-6076]
COMMAND
XOOPS path disclosure
SYSTEMS AFFECTED
XOOPS VERSIONS: v2.0 (and prior ?)
PROBLEM
Grégory Le Bras aka GaLiaRePt [http://www.Security-Corporation.com],
Security Corporation Security Advisory [SCSA-011] :
http://www.security-corporation.com/index.php?id=advisories&a=011-FR
DESCRIPTION
________________________________________________________________________
XOOPS is "a dynamic OO (Object Oriented) based open source portal
script written in PHP. XOOPS is the ideal tool for developing small to
large dynamic community websites,intra company portals, corporate
portals, weblogs and much more." (direct quote from XOOPS website)
DETAILS & EXPLOITS
________________________________________________________________________
¤ Details Path Disclosure :
A vulnerability have been found in XOOPS which allow attackers to
determine the physical path of the application.
This vulnerability would allow a remote user to determine the full path
to the web root directory and other potentially sensitive information.
This vulnerability can be triggered by a remote user submitting a
specially crafted HTTP request including invalid input to the
"$xoopsOption" variable.
¤ Exploits Path Disclosure :
http://[target]/index.php?xoopsOption=any_word
Affected files:
admin.php
edituser.php
footer.php
header.php
image.php
lostpass.php
pmlite.php
readpmsg.php
register.php
search.php
user.php
userinfo.php
viewpmsg.php
class/xoopsblock.php
modules/contact/index.php
modules/mydownloads/index.php
modules/mydownloads/brokenfile.php
modules/mydownloads/modfile.php
modules/mydownloads/ratefile.php
modules/mydownloads/singlefile.php
modules/mydownloads/submit.php
modules/mydownloads/topten.php
modules/mydownloads/viewcat.php
modules/mylinks/brokenlink.php
modules/mylinks/index.php
modules/mylinks/modlink.php
modules/mylinks/ratelink.php
modules/mylinks/singlelink.php
modules/mylinks/submit.php
modules/mylinks/topten.php
modules/mylinks/viewcat.php
modules/newbb/index.php
modules/newbb/search.php
modules/newbb/viewforum.php
modules/newbb/viewtopic.php
modules/news/archive.php
modules/news/article.php
modules/news/index.php
modules/sections/index.php
modules/system/admin.php
modules/xoopsfaq/index.php
modules/xoopsheadlines/index.php
modules/xoopsmembers/index.php
modules/xoopspartners/index.php
modules/xoopspartners/join.php
modules/xoopspoll/index.php
modules/xoopspoll/pollresults.php
SOLUTION
None yet
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
