SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Portix-PHP Vendors:   Gavage, Marc
Portix-PHP Web Portal Software Discloses Files to Remote Users and Lets Remote Users Gain Administrator Access on the Portal Application
SecurityTracker Alert ID:  1003430
SecurityTracker URL:  http://securitytracker.com/id/1003430
CVE Reference:   CVE-2002-2084   (Links to External Site)
Updated:  May 20 2008
Original Entry Date:  Feb 4 2002
Impact:   Disclosure of system information, Disclosure of user information, User access via network
Exploit Included:  Yes  
Version(s): 0.4.02 and prior versions
Description:   Several vulnerabilities were reported in the Portix-PHP web portal software. A remote user can view files on the server and can gain administrator access to the portal application.

It is reported that a remote user can view files located on the server by using a URL that contains the '../' directory traversal string. For example, the following URLs will retrieve the password file:

http://[targethost]/index.php?l=../../../etc/passwd

http://[targethost]/index.php?l=forum/view.php&topic=../../../etc/passwd

It is also reported that a remote user can gain administrator access on the portal by setting their cookie to a particular value (access=ok) and then accessing the 'config.php' script. This value apparently does not change and has no expiration date.

A more complete description of the flaw is available at: (in French language)

http://balteam.multimania.com/Tuts/Portix.txt

The vendor has reportedly been notified.

Impact:   A remote user can view files located anywhere on the server with the privileges of the web server. A remote user can obtain administrative access on the portal.
Solution:   No solution was available at the time of this entry.
Vendor URL:  marc.gavage.com/portix/index.php (Links to External Site)
Cause:   Authentication error, Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)
Underlying OS Comments:  PHP-based

Message History:   None.


 Source Message Contents

Subject:  Big Security Holes in Portix-PHP Portal




On all version. The last one is 0.4.02 .

To view files in the hard disk :

www.hostportix.com/index.php?l=../../../etc/passwd

www.hostportix.com/index.php?
l=forum/view.php&topic=../../../etc/passwd

To be administrator :
Send the cookie name=access value=ok 
to /config/config.php .

Portix team has been alerted.

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC