Multiple Web Applications | Full Path Disclosure

2011.01.29
Credit: YGN Ethical Hacker Group
Risk: Low
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

The following web applications are found to have full path disclosure flaws (Ref: WASC-13, CWE-200). ----------------------------------------- htmlpurifier-4.2.0 phpids-0.6.5 PhpSecInfo 111WebCalendar-1.2.3 adodb aef-1.0.8 ATutor-2.0 auth b2evolution-3.3.3 bbpress-1.0.2 cftp-r80 claroline-1.9.7 clipbucket_2.0.9_stable_Fr cmsmadesimple-1.9.2 CodeIgniter_1.7.2 concrete5.4.0.5 concrete5.4.1.1 CopperminePhotoGallery-1.5.12 craftysyntax3.0.2 CubeCart-4.4.3 dokuwiki-2009-12-25c Dolphin-7.0.4 dotproject-2.1.4 drupal-7.0 e107_0.7.24 eggblog_4.1.2 elgg-1.7.6 ExoPHPDesk_1.2.1 eyeOS-2.2.0.0 fengoffice_1.7.2 freeway_1_5_alpha_Burstow frontaccounting-2.3.1 helpcenterlive-2.1.7 hesk-2.2 jcow.4.2.1 joomla-1.6.0 kamads-2_b3 kplaylist.1.8.502 lifetype-1.2.10 limesurvey190plus-build9642-20101214 linpha-1.3.4 mambo-4.6.5 mantisbt-1.2.4 moodle-2.0.1 mound-2.1.6 mybb-1.6 nucleus3.61 NuSOAP open-realty-2.5.8 OpenBlog-1.2.1 opencart_v1.4.9.3 opendocman-1.2.6-svn-2011-01-21 orangehrm-2.6.0.2 oscommerce-3.0a5 phorum-5.2.15a PHP-Easy-Survey-Package-2.1.1 PHP-Nuke-8.0 PHP-Point-Of-Sale-10.7 phpads-2.0 phpAlbum_v0.4.1.14.fix06 phpBook-2.1.0 phpcollab-2.5 PHPDevShell-V3.0.0-Beta-4b PHPfileNavigator-2.3.3 phpFormGen-2.09 phpfreechat-1.3 PhpGedView-all-4.2.3 phpicalendar-2.4 phpld-2-151.2.0 phpmyfaq-2.6.13 phprojekt-6.0.5 phpScheduleIt_1.2.12 phpwcms-1.4.7r412 piwigo-2.1.5 piwik-1.1 pixelpost_v1.7.3 pixie_v1.04 PliggCMS1.1.3 podcastgen1.3 prestashop_1.4.0.6 projectpier-0.8.0.3 serendipity-1.5.5 Smarty statusnet-0.9.6 SugarCRM-6.1.0 taskfreak-multi-mysql-0.6 tcexam_11.1.015 textpattern-4.2.0 thebuggenie_2.1.2 theHostingTool-v1.2.3 TinyMCE TinyWebGallery-1.8.3 tomatocart-1.1.3 vanilla-2.0.16 WebCalendar-1.2.3 WeBid-1.0.0 webinsta-mail-list-1.3e WebsiteBaker_2.8.1 wordpress-3.0.4 xajax xoops-2.5.0 YOURS Zend zikula-1.2.4 ------------------------------------------------ Vulnerable files list for each application can be found at http://yehg.net/lab/pr0js/advisories/path_disclosure/ http://yehg.net/lab/pr0js/advisories/path_disclosure.zip Solution: Disable php error_display off. For those who manage servers, set php error_display setting as 'on' in php.ini file. For those who don't, simple put "php_flag error_display off" in .htaccess file of web root directory (unless it is restricted by php_admin_flag) --------------------------------- Best regards, YGN Ethical Hacker Group Yangon, Myanmar http://yehg.net Our Lab | http://yehg.net/lab Our Directory | http://yehg.net/hwd

References:

http://yehg.net/lab/pr0js/advisories/path_disclosure/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top